1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

IRP Hook?

Discussion in 'Virus & Other Malware Removal' started by Schle2, Oct 2, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. Schle2

    Schle2 Thread Starter

    Joined:
    Aug 12, 2004
    Messages:
    67
    Hello,

    Yesterday while browsing online Prevx 3.0 warned of a potential threat. I closed the browser and everything seemed fine. Prevx, however, kept wanting to scan my computer. Normally Previx takes a minute or 2 to run a scan but this time, after almost 10 minutes, it was still scanning but with no progress on the progress bar. I clicked cancel and Prevx said it was aborting the scan but that kept hanging too. I ended up having to manually shut down the computer. Upon reboot, the PC started properly but I could not really do anything as the computer kept freezing. In safe mode I was able to run AVG Free but with no threats. After several reboots (both normal and safe mode) I was able to run Spybot in normal mode, again the results were clean. However, upon every reboot, Prevx was showing it was still scanning and every time it was hanging and continued to hang upon cancel scan. The PC would start up fine in normal mode and I could access folders but could not open and Word or Excel Docs in the folders. I could not open a browser or Outlook. Finally earlier today after several more reboots, for a reason unbeknownst to me, the computer stared up just fine, outlook opened, I could access all files, and get online. I checked Prevx then again and it said last scan was run 10 minutes ago, took the normal 2 minutes or so, and was clean. Since then everything has been working just fine.

    I did run AVG Free scan then and had 1 warning for IRP Hook,\driver\atapi driverStartIO->0x85c5be2. I have seen false positives for rootkits before with AVG so I don't know if my computer is OK now or not. I have not, and will not, reboot or shut down until I know, just to be safe.

    Note I use AVG Free. The Prevx 3.0 was installed years ago and I no longer have a paid subscription for it. The only reason it remains on my machine is that I cannot uninstall it. There is no unistall feature and even Revo could not do it.

    Could Prevx have just messed up and I am OK? Or do I really have a rootkit problem?

    I am running Windows XP SP3 on a DELL Dimension E521.

    All required logs are below and attached.

    Please let me know what I should do, if anything. Please let me know if you need more info.

    Your help is greatly appreciated.

    Thanks,
    Schle2

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 2:33:57 PM, on 10/2/2012
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
    C:\Program Files\AVG\AVG2012\avgcsrvx.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\AVG\AVG2012\avgtray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\bubtydvw\bubtydvw.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\AVG\AVG2012\avgnsx.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PGPserv.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\AVG\AVG2012\avgui.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Documents and Settings\Kirk Nagle\Desktop\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061227
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: AVG Do Not Track - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files\AVG\AVG2012\avgdtiex.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SafeOnline BHO - {69D72956-317C-44bd-B369-8E44D4EF9801} - C:\WINDOWS\system32\PxSecure.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe -update activex
    O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files\AVG\AVG2012\avgdtiex.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://commercebank.webex.com/client/T27LC/webex/ieatgpc.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
    O20 - AppInit_DLLs: C:\WINDOWS\system32\ocmapihk.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: CSIScanner - Prevx - C:\Program Files\bubtydvw\bubtydvw.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/Kirk%20Nagle/My%20Documents/My%20Music%20%26%20Pictures/My%20Pictures/simpsn4.gif
    O24 - Desktop Component 1: (no name) - file:///C:/Documents%20and%20Settings/Kirk%20Nagle/My%20Documents/My%20Music%20%26%20Pictures/My%20Pictures/mvr.jpg

    --
    End of file - 9563 bytes

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Kirk Nagle at 14:35:24 on 2012-10-02
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.490 [GMT -4:00]
    .
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    svchost.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\AVG\AVG2012\avgtray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\bubtydvw\bubtydvw.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PGPserv.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\AVG\AVG2012\avgui.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\REGSVR32.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
    BHO: SafeOnline BHO: {69d72956-317c-44bd-b369-8e44d4ef9801} - c:\windows\system32\PxSecure.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11e_ActiveX.exe -update activex
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [<NO NAME>]
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
    IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    LSP: c:\windows\system32\PGPlsp.dll
    DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://commercebank.webex.com/client/T27LC/webex/ieatgpc.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{AD56B1C2-4136-48DC-AA2F-F579D1FBD202} : DhcpNameServer = 192.168.1.1
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
    Notify: LMIinit - LMIinit.dll
    AppInit_DLLs: c:\windows\system32\ocmapihk.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 31952]
    R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-12-8 32008]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 237408]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 41040]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 301920]
    R1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-12-8 76696]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
    R2 CSIScanner;CSIScanner;c:\program files\bubtydvw\bubtydvw.exe [2010-12-15 6416120]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2012-7-5 374184]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2012-6-8 12856]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-7-20 47640]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-24 24652]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
    R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-12-8 26096]
    S?2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-8-13 5167736]
    S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2008-10-29 23096]
    S3 MusCVideo;MusCVideo;c:\windows\system32\drivers\MusCVideo.sys [2008-10-29 3768]
    S3 TucbAudio;TucbAudio;c:\windows\system32\drivers\TucbAudio.sys [2008-10-29 23096]
    S3 TucbVideo;TucbVideo;c:\windows\system32\drivers\TucbVideo.sys [2008-10-29 3768]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?]
    S4 LMIRfsClientNP;LMIRfsClientNP; [x]
    .
    =============== Created Last 30 ================
    .
    2012-09-10 12:57:38 -------- d-sh--w- c:\documents and settings\kirk nagle\IECompatCache
    2012-09-07 12:57:53 -------- d-sh--w- c:\documents and settings\kirk nagle\PrivacIE
    2012-09-07 12:54:05 -------- d-sh--w- c:\documents and settings\kirk nagle\IETldCache
    2012-09-07 12:44:53 -------- d-----w- c:\windows\ie8updates
    2012-09-07 12:40:05 -------- dc-h--w- c:\windows\ie8
    2012-09-07 12:35:32 521728 ------w- c:\windows\system32\dllcache\jsdbgui.dll
    2012-09-07 12:34:07 6144 ------w- c:\windows\system32\dllcache\iecompat.dll
    2012-09-07 12:34:01 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
    2012-09-07 12:33:57 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2012-09-07 12:33:56 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
    .
    ==================== Find3M ====================
    .
    2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-08-28 15:14:53 43520 ------w- c:\windows\system32\licmgr10.dll
    2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-08-28 12:07:15 385024 ------w- c:\windows\system32\html.iec
    2012-08-24 19:43:18 301920 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2012-07-26 07:21:30 237408 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll
    2012-07-05 22:10:02 83392 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2012-07-05 22:09:54 52128 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
    2012-07-05 22:09:46 30624 ----a-w- c:\windows\system32\LMIport.dll
    2012-07-05 22:09:44 87456 ----a-w- c:\windows\system32\LMIinit.dll
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600
    .
    CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
    device: opened successfully
    user: error reading MBR
    .
    Disk trace:
    kernel: MBR read successfully
    _asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x85C5B2E2
    user != kernel MBR !!!
    .
    ============= FINISH: 14:46:53.78 ===============

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-10-02 15:04:26
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 rev.
    Running: bt3vjj6z.exe; Driver: C:\DOCUME~1\KIRKNA~1\LOCALS~1\Temp\kxtdapog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAllocateVirtualMemory [0xF1102F60]
    SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAssignProcessToJobObject [0xF1102AF0]
    SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwCreateThread [0xF1102B40]
    SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDebugActiveProcess [0xF1102F10]
    SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteKey [0xF1102810]
    SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteValueKey [0xF11028D0]
    SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDuplicateObject [0xF1103180]
    SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeKey [0xB98A5004]
    SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeMultipleKeys [0xB98A50D4]
    SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xB98A4D76]
    SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenSection [0xF1102CD0]
    SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenThread [0xF1103320]
    SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwProtectVirtualMemory [0xF1102BE0]
    SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetContextThread [0xF1102AA0]
    SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetValueKey [0xF11029B0]
    SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSystemDebugControl [0xF1102E80]
    SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xB98A4E1E]
    SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xB98A4EBA]
    SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xB98A4F56]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6D65360, 0x2456AE, 0xE8000020]
    ? C:\DOCUME~1\KIRKNA~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[304] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 039D7B40 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\WINDOWS\Explorer.EXE[304] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 039D7090 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\WINDOWS\Explorer.EXE[304] USER32.dll!SetWindowTextW 7E42960E 5 Bytes JMP 039D7800 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02C97940 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] ntdll.dll!NtCreateSection 7C90D17E 5 Bytes JMP 02C97A60 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 02C978D0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] ntdll.dll!NtOpenSection 7C90D62E 5 Bytes JMP 02C97B00 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 02C97B40 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 02C97090 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] kernel32.dll!OutputDebugStringA 7C85AD4C 5 Bytes JMP 02C97D60 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] ADVAPI32.dll!CredEnumerateW 77E18099 7 Bytes JMP 02C96FB0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!PostMessageW 7E418CCB 5 Bytes JMP 02C96ED0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!PostThreadMessageW 7E4277B8 5 Bytes JMP 02C92740 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!PostThreadMessageA 7E4277C5 5 Bytes JMP 02C92720 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AB5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 02C96AA0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!SetWindowTextW 7E42960E 5 Bytes JMP 02C97800 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!PostMessageA 7E42AAFD 5 Bytes JMP 02C96E90 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 02C96D20 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!SendNotifyMessageW 7E42D64F 5 Bytes JMP 02C96C90 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 02C96DC0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 02C969D0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 02C96CD0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E725F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E7191 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E71FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E7062 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E70C4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!SendNotifyMessageA 7E453948 5 Bytes JMP 02C96C50 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E72C2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E7126 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 02C96D70 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E75C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 02C92890 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] WS2_32.dll!WSASocketW 71AB404E 7 Bytes JMP 02C92950 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 02C928D0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 02C92910 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] WS2_32.dll!WSAConnect 71AC0C81 5 Bytes JMP 02C92850 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] WININET.dll!HttpSendRequestW 3D94FACE 5 Bytes JMP 02C927C0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] WININET.dll!HttpSendRequestA 3D95EEA1 5 Bytes JMP 02C92760 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] WININET.dll!InternetWriteFile 3D9A6116 5 Bytes JMP 02C92790 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] WININET.dll!HttpSendRequestExA 3D9BA6DA 5 Bytes JMP 02C92820 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] WININET.dll!HttpSendRequestExW 3D9BA733 5 Bytes JMP 02C927F0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] CRYPT32.dll!CryptUnprotectData 77A8BAF0 7 Bytes JMP 02C96F30 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E725F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E7191 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E71FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E7062 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E70C4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E72C2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E7126 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\WINDOWS\System32\svchost.exe[1408] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 001A3D1B
    .text C:\WINDOWS\System32\svchost.exe[1408] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
    .text C:\WINDOWS\System32\svchost.exe[1408] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 001A4608
    .text C:\WINDOWS\System32\svchost.exe[1408] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 001A4669
    .text C:\WINDOWS\System32\svchost.exe[1408] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 001A46D9
    .text C:\WINDOWS\System32\svchost.exe[1408] USER32.dll!IsWindowVisible 7E429E3D 5 Bytes JMP 001A470C
    .text C:\WINDOWS\System32\svchost.exe[1408] USER32.dll!MessageBoxIndirectW 7E4664D5 6 Bytes [33, C0, 40, C2, 04, 00] {XOR EAX, EAX; INC EAX; RET 0x4}
    .text C:\WINDOWS\System32\svchost.exe[1408] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 001A4872
    .text C:\WINDOWS\System32\svchost.exe[1408] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 001A4848
    .text C:\WINDOWS\System32\svchost.exe[1408] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 001A456A
    .text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[2512] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 30F52DF0 C:\Program Files\Common Files\Microsoft Shared\office11\mso.dll (Microsoft Office 2003 component/Microsoft Corporation)
    .text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5276] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 30F52DF0 C:\Program Files\Common Files\Microsoft Shared\office11\mso.dll (Microsoft Office 2003 component/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

    Device \FileSystem\Udfs \UdfsCdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Udfs \UdfsDisk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp pxrts.sys (Prevx Realtime Security/Prevx)

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 85C5B2E2
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 85C5B2E2
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 85C5B2E2
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 85C5B2E2
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 85C5B2E2
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 85C5B2E2

    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp pxrts.sys (Prevx Realtime Security/Prevx)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp pxrts.sys (Prevx Realtime Security/Prevx)

    Device \FileSystem\Fastfat \Fat B5DCED20

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

    Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

    ---- Registry - GMER 1.0.15 ----

    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{46816BA2-05F1-8E48-086B-7A57E06F816B}
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{46816BA2-05F1-8E48-086B-7A57E06F816B}@ianodokknbnmaciigh 0x6A 0x61 0x61 0x6B ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{46816BA2-05F1-8E48-086B-7A57E06F816B}@haholedfjcbhgmik 0x6B 0x61 0x65 0x6B ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C497D99D-B213-16F8-5A3D-09131ED050E8}
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C497D99D-B213-16F8-5A3D-09131ED050E8}@iaolcoakhjemlgikap 0x6A 0x61 0x6C 0x67 ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C497D99D-B213-16F8-5A3D-09131ED050E8}@haemaogmokhamhib 0x6B 0x61 0x68 0x68 ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C497D99D-B213-16F8-5A3D-09131ED050E8}@haknklpgnigjdcah 0x61 0x61 0x00 0x7E
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C497D99D-B213-16F8-5A3D-09131ED050E8}@haknklpgiipelkhg 0x61 0x61 0x00 0x7E

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

  2. Schle2

    Schle2 Thread Starter

    Joined:
    Aug 12, 2004
    Messages:
    67
    bump
     
  3. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,889
    you definitely have a problem & malware is running according to the logs


    Delete any existing version of ComboFix you have sitting on your desktop
    Please read and follow all these instructions very carefully
    Do not edit or remove any information or user names etc, otherwise we cannot fix the problem. If you insist on editing out anything then I will close the topic & refuse to offer any help.

    Download ComboFix from Hereto your Desktop.
    As you download it rename it to username123.exe


    **Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
    --------------------------------------------------------------------
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
    • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re enable the protection again after combofix has finished
    --------------------------------------------------------------------
    2. Close any open browsers and any other programs you might have running
    Double click on renamed combofix.exe & follow the prompts.​
    If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
    Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" for further review


    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.Read HERE why we disable autoruns

    Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

    Please tell us if it has cured the problems or if there are any outstanding issues

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot is due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log in next reply please...


    Strong Warning:

    I have frequently found that combofix & other tools will not work, when Prevx is installed and active
    If you cannot uninstall prevx then we might be forced to consider format & reinstal lof operating system

    Use the appropriate PrevX unistall tool from here http://info.prevx.com/removaltool.asp
     
  4. Schle2

    Schle2 Thread Starter

    Joined:
    Aug 12, 2004
    Messages:
    67
    Thanks Derek. I will get rid of Prevx and follow your instructions. I will post back when this is completed.
    Mark
     
  5. Schle2

    Schle2 Thread Starter

    Joined:
    Aug 12, 2004
    Messages:
    67
    Hi Derek,

    I was able to unistall Prevx. I closed all browsers and programs and disabled AVG. I literally renamed the combofix.exe to username123.exe (I hope I was not supposed to put in the 'real user name"123. When I ran the executable it started to run fine. It did say it would take about 10 minutes but could easily double for badly infected computers. After about 8-9 minutes I was up to Completed Stage 48. Another 15 minutes has gone by but no additional progress has been made. There is a blinking 'cursor' underneath the last entry of Completed Stage 48. Should I close and try again? Or something else?

    Thanks,
    Mark
     
  6. Schle2

    Schle2 Thread Starter

    Joined:
    Aug 12, 2004
    Messages:
    67
    Hi Derek,

    After about an hour, ComboFix never got past stage 48. I closed. I did nothing else. I don't know if I can simply try running ComboFix again or if something else must be done first.

    Please advise.

    Thanks,
    Mark
     
  7. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,889
    just leave combofix running when that cursor is blinking
    in some infections , it can over 2 or even 3 hours to do a full run & clean up

    now just reboot & run combofix again & do not interfere with it, just walk away & have a cup of coffee or whatever & check occasionaly on it, BUT don't worry if it is still scanning in 3 hours or so with this infection. Make sure AVG is disabled peoperly as well or that will block some stages of combofix. It is often better to unisntall AVG when dealing with difficult infections
     
  8. Schle2

    Schle2 Thread Starter

    Joined:
    Aug 12, 2004
    Messages:
    67
    got it Derek.

    Originallly I disabled AVG for 15 minutes only (bleeping computer advice). Maybe the problem was that AVG turned back on and messed up the ComboFix.

    I am not sure whether I can try again now or if I might have to wait until later today. Either way I will post the log once I have that.

    Thanks again.
    Mark
     
  9. Schle2

    Schle2 Thread Starter

    Joined:
    Aug 12, 2004
    Messages:
    67
    Hi Derek.

    I rebooted and tried running ComboFix again and just let it go. After about 30 minutes it was still at completed stage 48. I left the computer alone. This morning (about 17 hours later) I checked and it made no further progess; still was sitting at completed stage 48.

    Can I run ComboFix in safe mode? Everytime I reboot now I get different results. Every time is boots up normally but sometimes I have the recover active desktop screen - somtimes not. Either way I can open folders such as my documents or my computer. However I cannot access any files anywhere. I cannot get online either. In processes in the task manager I can see that Explorer, Excel, Word, etc (whatever I tried to use) is listed as active processes. Ending those processes and trying again does nothing. The computer will recognize that a flash drive or something was inserted into a USB port but I cannot access that. I can access an external hard drive while in safe mode. Safe mode boots up just fine. I did backup everything important and even items not so important so I am not too worried about losing anything.

    I cannot get AVG 2010 Free to uninstall by the way. I tried add/remove programs, Revo, and the force uninstall program from AVG. I don't know if AVG is what is keeping ComboFix from completing its scan or if my computer is just that bad.

    What do you suggest? ComboFix is safe mode, some other program, wiping out the hard drive and reinstalling everything, or maybe just buying a new hard drive and load everything on that.?.

    Please let me know what you think.

    Thanks much.
    Mark
     
  10. Schle2

    Schle2 Thread Starter

    Joined:
    Aug 12, 2004
    Messages:
    67
    hi again.

    I successfully uninstalled AVG finally with the removal tool. I started up again in normal mode and everything is working again, finally. I can open Word, Outlook, IE, etc. I am sure my problem is not solved yet though.

    My instinct is to try running ComboFix again now but I am leaving well enough alone for the time being.

    Please let me know your thoughts on what to do next.

    Thanks again,
    Mark
     
  11. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,889
    I would try combofix again
    there are defintely malware files & entries in teh dds log that we need to fix
     
  12. Schle2

    Schle2 Thread Starter

    Joined:
    Aug 12, 2004
    Messages:
    67
    Hi Derek.

    I tried running ComboFix again this morning and it again stalled after completed stage 48. I rebooted and tried again with the same result. I believe this is 4 or 5 times now that ComboFix stalled after completed stage 48. I did wait very long to make sure it really stalled and was not just still running.

    Should I try this and then try ComboFix again? (can starting 'fresh' help?)

    *Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
    * Click START then RUN
    * Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

    This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

    Or is there something else I should try.

    At this point I am not sure what to do any longer.

    Please advise.

    Thanks,
    Mark
     
  13. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,889
    uninstall combofix

    then

    Download OTScanIt.exe to your Desktop
    • Close any open browsers.
    • If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
    • Double-click on OTS.exe to start the program.
    • Now on the toolbar at the top select "Scan all users" then click the Run Scan button
    • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Save that notepad file
    If the log is too large to post, use the Reply button, scroll down to the attachments section and attach the notepad file here.
     
  14. Schle2

    Schle2 Thread Starter

    Joined:
    Aug 12, 2004
    Messages:
    67
    Hi Derek,
    I apologize for the delay in getting back to you. I finally had the chance to uninstall ComboFix and run OTS. Here is the log.

    Please let me know...

    thanks,
    Mark

    Code:
    OTS logfile created on: 10/16/2012 8:29:20 AM - Run 1
    OTS by OldTimer - Version 3.1.47.2     Folder = C:\Documents and Settings\Kirk Nagle\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
     
    958.00 Mb Total Physical Memory | 620.00 Mb Available Physical Memory | 65.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 90.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]
     
    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 145.75 Gb Total Space | 116.86 Gb Free Space | 80.18% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded
     
    Computer Name: DRA02
    Current User Name: Kirk Nagle
    Logged in as Administrator.
     
    Current Boot Mode: Normal
    Scan Mode: All users
    Company Name Whitelist: Off
    Skip Microsoft Files: Off
    File Age = 30 Days
     
    [Processes - Safe List]
    ots.exe -> C:\Documents and Settings\Kirk Nagle\Desktop\OTS.exe -> [2012/10/16 07:53:48 | 000,646,656 | ---- | M] (OldTimer Tools)
    explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation)
    hpzipm12.exe -> C:\WINDOWS\system32\HPZipm12.exe -> [2007/08/09 03:27:52 | 000,073,728 | ---- | M] (HP)
    viewmgr.exe -> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe -> [2007/01/04 17:38:18 | 000,112,336 | ---- | M] (Viewpoint Corporation)
    viewpointservice.exe -> C:\Program Files\Viewpoint\Common\ViewpointService.exe -> [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation)
    realplay.exe -> C:\Program Files\Real\RealPlayer\realplay.exe -> [2006/12/27 12:45:02 | 000,026,112 | ---- | M] (RealNetworks, Inc.)
    stsystra.exe -> C:\WINDOWS\stsystra.exe -> [2006/08/15 04:00:20 | 000,282,624 | ---- | M] (SigmaTel, Inc.)
    corel photo downloader.exe -> C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe -> [2006/08/14 15:20:26 | 000,462,336 | ---- | M] (Corel, Inc.)
    pgpserv.exe -> C:\WINDOWS\system32\PGPserv.exe -> [2006/04/05 12:28:50 | 000,073,728 | ---- | M] (PGP Corporation)
    dmxlauncher.exe -> C:\Program Files\Dell\Media Experience\DMXLauncher.exe -> [2005/10/05 04:12:00 | 000,094,208 | ---- | M] ()
    dlactrlw.exe -> C:\WINDOWS\system32\DLA\DLACTRLW.EXE -> [2005/09/08 06:20:00 | 000,122,940 | ---- | M] (Sonic Solutions)
     
    [Modules - No Company Name]
    nvapi.dll -> C:\WINDOWS\system32\nvapi.dll -> [2006/08/23 13:12:38 | 000,196,608 | ---- | M] ()
    xmltok.dll -> C:\Program Files\HP\Digital Imaging\bin\crm\xmltok.dll -> [2005/10/20 11:36:08 | 000,077,824 | R--- | M] ()
    xmlparse.dll -> C:\Program Files\HP\Digital Imaging\bin\crm\xmlparse.dll -> [2005/10/20 11:36:08 | 000,065,536 | R--- | M] ()
    dmxlauncher.exe -> C:\Program Files\Dell\Media Experience\DMXLauncher.exe -> [2005/10/05 04:12:00 | 000,094,208 | ---- | M] ()
    pdfmonnt.dll -> C:\WINDOWS\system32\pdfmonnt.dll -> [2001/10/29 01:42:30 | 000,116,224 | ---- | M] ()
     
    [Win32 Services - Safe List]
    (LMIMaint) LogMeIn Maintenance Service [Auto | Stopped] ->  -> File not found
    (HidServ) Human Interface Device Access [Disabled | Stopped] ->  -> File not found
    (Pml Driver HPZ12) Pml Driver HPZ12 [Auto | Running] -> C:\WINDOWS\system32\HPZipm12.exe -> [2007/08/09 03:27:52 | 000,073,728 | ---- | M] (HP)
    (Viewpoint Manager Service) Viewpoint Manager Service [Auto | Running] -> C:\Program Files\Viewpoint\Common\ViewpointService.exe -> [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation)
    (PGPserv) PGPserv [Auto | Running] -> C:\WINDOWS\system32\PGPserv.exe -> [2006/04/05 12:28:50 | 000,073,728 | ---- | M] (PGP Corporation)
    (SymWSC) SymWMI Service [Auto | Stopped] -> C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -> [2004/11/02 17:59:50 | 000,316,544 | ---- | M] (Symantec Corporation)
     
    [Driver Services - Safe List]
    (LMIRfsClientNP) LMIRfsClientNP [File_System | Disabled | Stopped] -> C:\WINDOWS\System32\LMIRfsClientNP.dll -> [2012/07/05 18:10:02 | 000,083,392 | ---- | M] (LogMeIn, Inc.)
    (LMIRfsDriver) LogMeIn Remote File System Driver [File_System | Auto | Running] -> C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -> [2012/06/08 12:06:24 | 000,047,640 | ---- | M] (LogMeIn, Inc.)
    (pxkbf) pxkbf [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\pxkbf.sys -> [2011/09/20 23:55:48 | 000,026,096 | ---- | M] (Prevx)
    (TucbVideo) TucbVideo [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\TucbVideo.sys -> [2008/10/24 11:21:16 | 000,003,768 | ---- | M] (Windows (R) 2000 DDK provider)
    (TucbAudio) TucbAudio [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\TucbAudio.sys -> [2008/10/24 11:21:14 | 000,023,096 | ---- | M] (Windows (R) Codename Longhorn DDK provider)
    (MusCVideo) MusCVideo [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\MusCVideo.sys -> [2008/10/24 11:16:46 | 000,003,768 | ---- | M] (Windows (R) 2000 DDK provider)
    (MusCAudio) MusCAudio [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\MusCAudio.sys -> [2008/10/24 11:16:44 | 000,023,096 | ---- | M] (Windows (R) Codename Longhorn DDK provider)
    (ASCTRM) ASCTRM [Kernel | Auto | Running] -> C:\WINDOWS\System32\drivers\asctrm.sys -> [2006/12/27 12:45:04 | 000,008,552 | ---- | M] (Windows (R) 2000 DDK provider)
    (STHDA) SigmaTel High Definition Audio CODEC [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\sthda.sys -> [2006/08/15 04:00:18 | 001,171,464 | ---- | M] (SigmaTel, Inc.)
    (bcm4sbxp) Broadcom 440x 10/100 Integrated Controller XP Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\bcm4sbxp.sys -> [2006/08/14 07:29:44 | 000,044,544 | ---- | M] (Broadcom Corporation)
    (nvatabus) nvatabus [Kernel | Boot | Stopped] -> C:\WINDOWS\system32\drivers\nvatabus.sys -> [2006/08/05 08:00:40 | 000,105,344 | ---- | M] (NVIDIA Corporation)
    (AmdK8) AMD Processor Driver [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\AmdK8.sys -> [2006/06/18 22:37:34 | 000,036,864 | ---- | M] (Advanced Micro Devices)
    (PGPdisk) PGPdisk [Kernel | Auto | Running] -> C:\WINDOWS\System32\drivers\PGPdisk.sys -> [2006/04/05 12:39:40 | 000,217,600 | ---- | M] (PGP Corporation)
    (PGPwded) PGPwded Storage Filter Service [Kernel | Boot | Running] -> C:\WINDOWS\System32\drivers\PGPwded.sys -> [2006/04/05 12:36:04 | 000,136,192 | ---- | M] (PGP Corporation)
    (PGPsdkDriver) PGPsdkDriver [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\PGPsdk.sys -> [2006/04/05 12:35:46 | 000,038,912 | ---- | M] (PGP Corporation)
    (DLAUDFAM) DLAUDFAM [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -> [2005/09/08 06:20:00 | 000,094,332 | ---- | M] (Sonic Solutions)
    (DLAUDF_M) DLAUDF_M [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -> [2005/09/08 06:20:00 | 000,087,036 | ---- | M] (Sonic Solutions)
    (DLAIFS_M) DLAIFS_M [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -> [2005/09/08 06:20:00 | 000,086,524 | ---- | M] (Sonic Solutions)
    (DLABOIOM) DLABOIOM [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLABOIOM.SYS -> [2005/09/08 06:20:00 | 000,025,628 | ---- | M] (Sonic Solutions)
    (DLAOPIOM) DLAOPIOM [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -> [2005/09/08 06:20:00 | 000,014,684 | ---- | M] (Sonic Solutions)
    (DLAPoolM) DLAPoolM [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLAPoolM.SYS -> [2005/09/08 06:20:00 | 000,006,364 | ---- | M] (Sonic Solutions)
    (DLADResN) DLADResN [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLADResN.SYS -> [2005/09/08 06:20:00 | 000,002,496 | ---- | M] (Sonic Solutions)
    (DLACDBHM) DLACDBHM [File_System | System | Running] -> C:\WINDOWS\system32\drivers\DLACDBHM.SYS -> [2005/08/25 13:16:52 | 000,005,628 | ---- | M] (Sonic Solutions)
    (DLARTL_N) DLARTL_N [File_System | System | Running] -> C:\WINDOWS\system32\drivers\DLARTL_N.SYS -> [2005/08/25 13:16:16 | 000,022,684 | ---- | M] (Sonic Solutions)
    (Sentinel) Sentinel [Kernel | Auto | Stopped] -> C:\WINDOWS\System32\Drivers\SENTINEL.SYS -> [1999/07/20 06:38:00 | 000,073,216 | ---- | M] ()
    (Sntnlusb) Sntnlusb [Kernel | Auto | Stopped] -> C:\WINDOWS\System32\Drivers\SNTNLUSB.SYS -> [1999/07/20 06:38:00 | 000,008,128 | R--- | M] (Rainbow Technologies Inc.)
     
    [Registry - Safe List]
    < Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
    HKEY_LOCAL_MACHINE\: Search\\"Default_Page_URL" -> www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061227 -> 
    HKEY_LOCAL_MACHINE\: Search\\"Start Page" -> www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061227 -> 
    < Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> -> 
    HKEY_USERS\.DEFAULT\: Main\\"Default_Page_URL" -> www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061227 -> 
    HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 0 -> 
    < Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> -> 
    HKEY_USERS\S-1-5-18\: Main\\"Default_Page_URL" -> www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061227 -> 
    HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 0 -> 
    < Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> -> 
    < Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> -> 
    < Internet Explorer Settings [HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\] > -> -> 
    HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\: Main\\"Start Page" -> http://www.msn.com/ -> 
    HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\: "ProxyEnable" -> 0 -> 
    HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\: "ProxyOverride" -> *.local -> 
    < FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
    HKLM\software\mozilla\Firefox\Extensions ->  -> 
    HKLM\software\mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF} -> C:\PROGRAM FILES\AVG\AVG2012\FIREFOX\DONOTTRACK\ -> 
    < FireFox Extensions [User Folders] > -> 
    < HOSTS File > ([2010/12/14 13:01:11 | 000,000,027 | ---- | M] - 1 lines) -> C:\WINDOWS\system32\drivers\etc\hosts -> 
    Reset Hosts
    127.0.0.1       localhost
    < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
    {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} [HKLM] ->  [AVG Do Not Track] -> File not found
    {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
    {5CA3D70E-1895-11CF-8E15-001234567890} [HKLM] -> C:\WINDOWS\system32\DLA\DLASHX_W.DLL [DriveLetterAccess] -> [2005/09/08 06:20:00 | 000,110,652 | ---- | M] (Sonic Solutions)
    {69D72956-317C-44bd-B369-8E44D4EF9801} [HKLM] -> C:\WINDOWS\system32\PxSecure.dll [SafeOnline BHO] -> [2011/09/20 23:55:50 | 000,071,880 | ---- | M] (Prevx)
    {CA6319C0-31B7-401E-A518-A07C3DB8F777} [HKLM] -> C:\Program Files\BAE\BAE.dll [CBrowserHelperObject Object] -> [2006/11/17 05:46:38 | 000,098,304 | ---- | M] (Dell Inc.)
    < Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\ -> 
    WebBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
    < Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\ -> 
    WebBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
    < Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\] > -> HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\Software\Microsoft\Internet Explorer\Toolbar\ -> 
    ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
    WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
    WebBrowser\\"{472734EA-242A-422B-ADF8-83D1E48CC825}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
    WebBrowser\\"{C4069E3A-68F1-403E-B40E-20066696354B}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
    < Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
    "" ->  [] -> File not found
    "Corel Photo Downloader" -> C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe [C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe] -> [2006/08/14 15:20:26 | 000,462,336 | ---- | M] (Corel, Inc.)
    "DLA" -> C:\WINDOWS\system32\DLA\DLACTRLW.EXE [C:\WINDOWS\System32\DLA\DLACTRLW.EXE] -> [2005/09/08 06:20:00 | 000,122,940 | ---- | M] (Sonic Solutions)
    "DMXLauncher" -> C:\Program Files\Dell\Media Experience\DMXLauncher.exe [C:\Program Files\Dell\Media Experience\DMXLauncher.exe] -> [2005/10/05 04:12:00 | 000,094,208 | ---- | M] ()
    "NeroFilterCheck" -> C:\WINDOWS\system32\NeroCheck.exe [C:\WINDOWS\system32\NeroCheck.exe] -> [2001/07/09 11:50:42 | 000,155,648 | ---- | M] (Ahead Software Gmbh)
    "NvCplDaemon" -> C:\WINDOWS\System32\NvCpl.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> [2006/08/23 13:12:40 | 007,630,848 | ---- | M] (NVIDIA Corporation)
    "NvMediaCenter" -> C:\WINDOWS\System32\NvMcTray.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit] -> [2006/08/23 13:12:42 | 000,086,016 | ---- | M] (NVIDIA Corporation)
    "nwiz" -> C:\WINDOWS\System32\nwiz.exe [nwiz.exe /install] -> [2006/08/23 13:12:46 | 001,617,920 | ---- | M] ()
    "RealTray" -> C:\Program Files\Real\RealPlayer\RealPlay.exe [C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER] -> [2006/12/27 12:45:02 | 000,026,112 | ---- | M] (RealNetworks, Inc.)
    "SigmatelSysTrayApp" -> C:\WINDOWS\stsystra.exe [stsystra.exe] -> [2006/08/15 04:00:20 | 000,282,624 | ---- | M] (SigmaTel, Inc.)
    < Administrator Startup Folder > -> C:\Documents and Settings\Administrator\Start Menu\Programs\Startup -> 
    < All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
    < Default User Startup Folder > -> C:\Documents and Settings\Default User\Start Menu\Programs\Startup -> 
    < Kirk Nagle Startup Folder > -> C:\Documents and Settings\Kirk Nagle\Start Menu\Programs\Startup -> 
    < LogMeInRemoteUser Startup Folder > -> C:\Documents and Settings\LogMeInRemoteUser\Start Menu\Programs\Startup -> 
    < Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
    < Software Policy Settings [HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006] > -> HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
    < CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    \\"HonorAutoRunSetting" ->  [1] -> File not found
    \\"NoCDBurning" ->  [0] -> File not found
    \\"NoDriveAutoRun" ->  [67108863] -> File not found
    \\"NoDriveTypeAutoRun" ->  [323] -> File not found
    \\"NoDrives" ->  [0] -> File not found
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL
    \Advanced\Folder\Hidden\SHOWALL\\"CheckedValue" ->  [1] -> File not found
    < CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
    < CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    \\"NoDriveTypeAutoRun" ->  [323] -> File not found
    \\"NoDriveAutoRun" ->  [67108863] -> File not found
    < CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
    < CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    \\"NoDriveTypeAutoRun" ->  [323] -> File not found
    \\"NoDriveAutoRun" ->  [67108863] -> File not found
    < CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
    < CurrentVersion Policy Settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
    HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    \\"NoDriveTypeAutoRun" ->  [145] -> File not found
    < CurrentVersion Policy Settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
    HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    \\"NoDriveTypeAutoRun" ->  [145] -> File not found
    < CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006] > -> HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
    HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    \\"NoDriveTypeAutoRun" ->  [323] -> File not found
    \\"NoDriveAutoRun" ->  [67108863] -> File not found
    \\"NoDrives" ->  [0] -> File not found
    HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL
    \Advanced\Folder\Hidden\SHOWALL\\"CheckedValue" ->  [1] -> File not found
    < CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006] > -> HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
    HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
    < Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
    {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16}:{68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} [HKLM] ->  [Button: AVG Do Not Track] -> File not found
    {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}:Exec [HKLM] -> C:\Program Files\AIM\aim.exe [Button: AIM] -> [2005/08/05 16:08:26 | 000,067,160 | ---- | M] (America Online, Inc.)
    < Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\ -> 
    CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] ->  [Reg Error: Value error.] -> File not found
    CmdMapping\\"{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}" [HKLM] -> C:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 16:08:26 | 000,067,160 | ---- | M] (America Online, Inc.)
    < Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\ -> 
    CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] ->  [Reg Error: Value error.] -> File not found
    CmdMapping\\"{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}" [HKLM] -> C:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 16:08:26 | 000,067,160 | ---- | M] (America Online, Inc.)
    < Internet Explorer Extensions [HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\] > -> HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\Software\Microsoft\Internet Explorer\Extensions\ -> 
    CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] ->  [Reg Error: Value error.] -> File not found
    CmdMapping\\"{38E51477-DDB4-4aed-9D61-D0C193E10749}" [HKLM] ->  [Reg Error: Key error.] -> File not found
    CmdMapping\\"{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}" [HKLM] -> C:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 16:08:26 | 000,067,160 | ---- | M] (America Online, Inc.)
    < Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
    < Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
    "" -> http://
    < Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. -> 
    < Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
    < Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
    < Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
    < Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
    < Trusted Sites Ranges [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
    < Trusted Sites Domains [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
    HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
    < Trusted Sites Ranges [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
    HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
    < Trusted Sites Domains [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
    HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
    < Trusted Sites Ranges [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
    HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
    < Trusted Sites Domains [HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\] > -> HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
    HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
    < Trusted Sites Ranges [HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\] > -> HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
    HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
    < Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
    {01A88BB1-1174-41EC-ACCB-963509EAE56B} [HKLM] -> http://support.dell.com/systemprofiler/SysPro.CAB [SysProWmi Class] -> 
    {02BCC737-B171-4746-94C9-0D8A0B2C0089} [HKLM] -> http://office.microsoft.com/sites/production/ieawsdc32.cab [Microsoft Office Template and Media Control] -> 
    {8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab [Java Plug-in 1.6.0_26] -> 
    {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [HKLM] -> http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab [Reg Error: Key error.] -> 
    {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab [Reg Error: Key error.] -> 
    {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab [Java Plug-in 1.6.0_26] -> 
    {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab [Java Plug-in 1.6.0_26] -> 
    {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} [HKLM] -> https://commercebank.webex.com/client/T27LC/webex/ieatgpc.cab [GpcContainer Class] -> 
    < Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -> 
    DhcpNameServer -> 192.168.1.1 -> 
    < Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
    {AD56B1C2-4136-48DC-AA2F-F579D1FBD202}\\DhcpNameServer -> 192.168.1.1   (Broadcom 440x 10/100 Integrated Controller) -> 
    < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs -> 
    *AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls -> 
    C:\WINDOWS\system32\ocmapihk.dll -> C:\WINDOWS\system32\ocmapihk.dll -> [2006/04/05 12:38:34 | 000,049,152 | ---- | M] (PGP Corporation)
    *MultiFile Done* -> -> 
    < Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
    *Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
    explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation)
    *MultiFile Done* -> -> 
    *UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 
    C:\WINDOWS\system32\userinit.exe -> C:\WINDOWS\system32\userinit.exe -> [2008/04/13 20:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation)
    *MultiFile Done* -> -> 
    < Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
    LMIinit -> C:\WINDOWS\System32\LMIinit.dll -> [2012/07/05 18:09:44 | 000,087,456 | ---- | M] (LogMeIn, Inc.)
    < Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
    "C:\Program Files\America Online 9.0\waol.exe" ->  [C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL] -> File not found
    "C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" ->  [C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL] -> File not found
    "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" ->  [C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL] -> File not found
    < Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
    "C:\Documents and Settings\Kirk Nagle\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe" -> C:\Documents and Settings\Kirk Nagle\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe [C:\Documents and Settings\Kirk Nagle\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe:*:Enabled:Octoshape add-in for Adobe Flash Player] -> [2009/08/13 10:11:01 | 000,319,488 | ---- | M] (Octoshape ApS)
    "C:\Program Files\AIM\aim.exe" -> C:\Program Files\AIM\aim.exe [C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger] -> [2005/08/05 16:08:26 | 000,067,160 | ---- | M] (America Online, Inc.)
    "C:\Program Files\AVG\AVG10\avgmfapx.exe" ->  [C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer] -> File not found
    < SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
    < CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
    "AutoRun" -> 1 -> 
    "DisplayName" -> CD-ROM Driver -> 
    "ImagePath" ->  [system32\DRIVERS\cdrom.sys] -> File not found
    < Drives with AutoRun files > ->  -> 
    C:\AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] -> [2004/08/11 18:15:00 | 000,000,000 | ---- | M] ()
    < MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
    < Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command -> 
    comfile [open] -> "%1" %* -> 
    exefile [open] -> "%1" %* -> 
    < Registry Shell Spawning - Select to Repair > -> HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006_Classes\<key>\shell\[command]\command -> 
    exefile [open] -> "%1" %* -> 
    < File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> 
    .com [@ = comfile] -> "%1" %* -> 
    .exe [@ = exefile] -> "%1" %* -> 
    < File Associations - Select to Repair > -> HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\SOFTWARE\Classes\<extension>\ -> 
    .exe [@ = exefile] -> "%1" %* -> 
     
     
    [Files/Folders - Created Within 30 Days]
     username123 -> C:\username123 -> [2012/10/16 08:14:25 | 000,000,000 | --SD | C]
     OTS.exe -> C:\Documents and Settings\Kirk Nagle\Desktop\OTS.exe -> [2012/10/16 07:53:45 | 000,646,656 | ---- | C] (OldTimer Tools)
     Recent -> C:\Documents and Settings\Kirk Nagle\Recent -> [2012/10/12 16:13:44 | 000,000,000 | RH-D | C]
     NIRCMD.exe -> C:\WINDOWS\NIRCMD.exe -> [2012/10/04 10:26:26 | 000,060,416 | ---- | C] (NirSoft)
     New Folder -> C:\Documents and Settings\Kirk Nagle\Desktop\New Folder -> [2012/10/02 12:37:44 | 000,000,000 | ---D | C]
     Macromedia -> C:\Documents and Settings\LocalService\Application Data\Macromedia -> [2012/10/02 09:25:33 | 000,000,000 | ---D | C]
     Adobe -> C:\Documents and Settings\LocalService\Application Data\Adobe -> [2012/10/02 09:25:33 | 000,000,000 | ---D | C]
     
    [Files/Folders - Modified Within 30 Days]
     Symantec NetDetect.job -> C:\WINDOWS\tasks\Symantec NetDetect.job -> [2012/10/16 08:28:33 | 000,000,422 | ---- | M] ()
     wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2012/10/16 08:28:20 | 000,002,206 | ---- | M] ()
     nvapps.xml -> C:\WINDOWS\System32\nvapps.xml -> [2012/10/16 08:28:08 | 000,081,191 | ---- | M] ()
     bootstat.dat -> C:\WINDOWS\bootstat.dat -> [2012/10/16 08:28:02 | 000,002,048 | --S- | M] ()
     hiberfil.sys -> C:\hiberfil.sys -> [2012/10/16 08:28:00 | 1005,047,808 | -HS- | M] ()
     OTS.exe -> C:\Documents and Settings\Kirk Nagle\Desktop\OTS.exe -> [2012/10/16 07:53:48 | 000,646,656 | ---- | M] (OldTimer Tools)
     Microsoft Office Word 2003 (2).lnk -> C:\Documents and Settings\Kirk Nagle\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003 (2).lnk -> [2012/10/12 16:13:49 | 000,002,515 | ---- | M] ()
     Microsoft Office Excel 2007.lnk -> C:\Documents and Settings\Kirk Nagle\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Excel 2007.lnk -> [2012/10/11 15:19:57 | 000,002,491 | ---- | M] ()
     9 C:\Documents and Settings\Kirk Nagle\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Kirk Nagle\Local Settings\Temp\*.tmp -> 
     16 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp -> 
     
    [Files - No Company Name]
     hiberfil.sys -> C:\hiberfil.sys -> [2012/10/16 08:28:00 | 1005,047,808 | -HS- | C] ()
     dt.dat -> C:\Documents and Settings\Kirk Nagle\Local Settings\Application Data\dt.dat -> [2012/08/10 10:31:06 | 000,027,520 | ---- | C] ()
     iacenc.dll -> C:\WINDOWS\System32\iacenc.dll -> [2012/02/16 10:05:07 | 000,003,072 | ---- | C] ()
     winscp.rnd -> C:\Documents and Settings\Kirk Nagle\Application Data\winscp.rnd -> [2011/12/12 16:38:38 | 000,000,600 | ---- | C] ()
     d3d9caps.dat -> C:\WINDOWS\System32\d3d9caps.dat -> [2011/02/20 20:46:25 | 000,000,664 | ---- | C] ()
     hitmanpro35.sys -> C:\WINDOWS\System32\drivers\hitmanpro35.sys -> [2011/02/10 10:51:15 | 000,016,968 | ---- | C] ()
     housecall.guid.cache -> C:\Documents and Settings\Kirk Nagle\Local Settings\Application Data\housecall.guid.cache -> [2010/12/08 10:45:51 | 000,000,036 | ---- | C] ()
     start -> C:\Documents and Settings\Kirk Nagle\Application Data\start -> [2010/11/29 14:09:49 | 000,000,006 | ---- | C] ()
     DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Documents and Settings\Kirk Nagle\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [2010/11/24 17:35:53 | 000,004,608 | ---- | C] ()
     
    [Alternate Data Streams]
    @Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
    @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    < End of report >
    
     
  15. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,889
    nothing showing wrong there

    Run tdss killer from http://support.kaspersky.com/viruses/solutions?qid=208280684

    let it cure anything it fnds ( except SPTD.SYS or anything detected as UnsignedFile.Multi.Generic, which should be ignored) & then reboot

    post back with its log

    By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder.
    Logs have names like: UtilityName.Version_Date_Time_log.txt.
    E.g. C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1071171