[Jackgray]

I'm running Windows XP in a VMware Fusion window on a MacBook running OS 10.7.5
On the virtual windows machine I have AVG antivirus.
The AVG warned of a Rootkit but it wasn't able to Cure it.
I then downloaded and ran TDSSKiller and this has identified 191 threats but is unable to Cure any of them.
The TDSSKiller report is attached. It's a mile long. Is there a reasonable fix or is it better to zap the virtual machine and start again?  Report.txt   89.95KB   164 downloads

[Advertisements]

Hi Jackgray!

Welcome to Geeks to Go!

My name is Donna and I'd be happy to help you clean your VM to prevent you from having to start again!

It's a mile long. Is there a reasonable fix or is it better to zap the virtual machine and start again?

Yep! That's a doozy of a log you've got there!

Your patience will be necessary since I am currently in training, and all of my responses to you must be reviewed by my instructor before I post them. The advantage is yours, though, in that you will have 2 pairs of eyes examining your issue every step of the way.

Please read this post completely before beginning the fix. If there's anything that you do not understand don't hesitate to ask before proceeding.

Please take note of the guidelines for this fix:

• Please note that we are all volunteers. We do have families, careers, and other endeavors just as you do that may prevent immediate responses that meet your schedule. Time zones may also be a factor for a timely response. Your patience and understanding will be greatly appreciated.
• First of all, the procedures we are about to perform are specific to your problem and should only be used on this infected computer.
• Please read ALL instructions carefully and perform the steps fully and in the order they are written.
• Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
• If you have the capability to print the instructions, please do so, some portion of this fix may have to be accomplished in safe mode or offline where you will be unable to follow my instructions online.
• If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
• Continue to read and follow my instructions until I tell you that your machine is clean.
• If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you.
• Scanning with programs and reading the logs do take a fair amount of time, your patience will be necessary.

Please allow me some time to view your log and consult with my instructor.

Thank you!

Donna

[DonnaB]

Hi Jackgray!

Welcome to Geeks to Go!

My name is Donna and I'd be happy to help you clean your VM to prevent you from having to start again!

It's a mile long. Is there a reasonable fix or is it better to zap the virtual machine and start again?

Yep! That's a doozy of a log you've got there!

Your patience will be necessary since I am currently in training, and all of my responses to you must be reviewed by my instructor before I post them. The advantage is yours, though, in that you will have 2 pairs of eyes examining your issue every step of the way.

Please read this post completely before beginning the fix. If there's anything that you do not understand don't hesitate to ask before proceeding.

Please take note of the guidelines for this fix:

• Please note that we are all volunteers. We do have families, careers, and other endeavors just as you do that may prevent immediate responses that meet your schedule. Time zones may also be a factor for a timely response. Your patience and understanding will be greatly appreciated.
• First of all, the procedures we are about to perform are specific to your problem and should only be used on this infected computer.
• Please read ALL instructions carefully and perform the steps fully and in the order they are written.
• Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
• If you have the capability to print the instructions, please do so, some portion of this fix may have to be accomplished in safe mode or offline where you will be unable to follow my instructions online.
• If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
• Continue to read and follow my instructions until I tell you that your machine is clean.
• If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you.
• Scanning with programs and reading the logs do take a fair amount of time, your patience will be necessary.

Please allow me some time to view your log and consult with my instructor.

Thank you!

Donna

[DonnaB]

Hello again Jackgray!

Please download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

In your next reply, please psot the following logs:

OTL.txt
Extras.txt

Thank you,

Donna

[Jackgray]

Thanks Donna you are a star. Time is not an issue, just happy to get help. So here's the Log from OTL:

OTL logfile created on: 11/01/2013 15:34:30 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

511.48 Mb Total Physical Memory | 222.64 Mb Available Physical Memory | 43.53% Memory free
864.39 Mb Paging File | 507.55 Mb Available in Paging File | 58.72% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.99 Gb Total Space | 9.15 Gb Free Space | 45.78% Space Free | Partition Type: NTFS
Drive Z: | 110.99 Gb Total Space | 33.73 Gb Free Space | 30.39% Space Free | Partition Type: HGFS

Computer Name: GRAYS-71E438D86 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/01/11 15:33:09 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2013/01/09 07:19:09 | 000,997,320 | ---- | M] () -- C:\Program Files\AVG Secure Search\vprot.exe
PRC - [2013/01/09 07:19:09 | 000,711,112 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe
PRC - [2012/10/31 20:01:46 | 000,058,520 | ---- | M] (VMware, Inc.) -- C:\Program Files\VMware\VMware Tools\VMwareTray.exe
PRC - [2012/10/31 20:01:40 | 000,062,616 | ---- | M] (VMware, Inc.) -- C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
PRC - [2012/10/31 19:56:58 | 000,432,792 | ---- | M] (VMware, Inc.) -- C:\Program Files\VMware\VMware Tools\vmacthlp.exe
PRC - [2012/10/14 11:51:32 | 006,035,064 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgmfapx.exe
PRC - [2012/08/13 02:24:48 | 005,167,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgidsagent.exe
PRC - [2012/07/31 02:37:02 | 002,596,984 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2012/07/26 02:23:08 | 000,758,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2012/06/13 02:48:50 | 002,321,560 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgfws.exe
PRC - [2012/06/13 02:48:24 | 001,255,544 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
PRC - [2012/03/19 04:18:12 | 000,979,840 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgemcx.exe
PRC - [2012/02/14 03:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2012/02/14 03:52:38 | 000,338,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2013/01/09 07:19:09 | 000,997,320 | ---- | M] () -- C:\Program Files\AVG Secure Search\vprot.exe
MOD - [2013/01/09 07:19:09 | 000,711,112 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe
MOD - [2013/01/09 07:19:09 | 000,566,728 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\DNTInstaller\13.2.0\avgdttbx.dll
MOD - [2013/01/09 07:19:09 | 000,134,600 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\13.2.0\SiteSafety.dll
MOD - [2012/10/31 20:01:46 | 000,644,760 | ---- | M] () -- C:\Program Files\VMware\VMware Tools\glibmm-2.4.dll


========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2013/01/09 07:19:09 | 000,711,112 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe -- (vToolbarUpdater13.2.0)
SRV - [2012/10/31 20:01:40 | 000,062,616 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -- (VMTools)
SRV - [2012/10/31 19:56:58 | 000,432,792 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Program Files\VMware\VMware Tools\vmacthlp.exe -- (VMware Physical Disk Helper Service)
SRV - [2012/09/17 10:35:24 | 000,406,864 | ---- | M] (Cortado AG) [On_Demand | Stopped] -- C:\Program Files\VMware\VMware Tools\TPVCGateway.exe -- (TPVCGateway)
SRV - [2012/09/17 10:35:24 | 000,378,192 | ---- | M] (Cortado AG) [On_Demand | Stopped] -- C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe -- (TPAutoConnSvc)
SRV - [2012/08/13 02:24:48 | 005,167,736 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgidsagent.exe -- (AVGIDSAgent)
SRV - [2012/06/13 02:48:50 | 002,321,560 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgfws.exe -- (avgfws)
SRV - [2012/02/14 03:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\system32\Drivers\vmdebug.sys -- (vmdebug)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2013/01/09 07:19:09 | 000,026,984 | ---- | M] (AVG Technologies) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtpx86.sys -- (avgtp)
DRV - [2012/10/31 20:05:16 | 000,098,968 | ---- | M] (VMware, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\vmci.sys -- (vmci)
DRV - [2012/10/31 20:04:50 | 000,102,256 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vmx_svga.sys -- (vmx_svga)
DRV - [2012/10/31 20:02:28 | 000,030,000 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vmxnet.sys -- (vmxnet)
DRV - [2012/10/31 19:59:04 | 000,011,440 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vmmouse.sys -- (vmmouse)
DRV - [2012/10/31 19:58:46 | 000,015,128 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Program Files\Common Files\VMware\Drivers\memctl\vmmemctl.sys -- (VMMEMCTL)
DRV - [2012/10/31 19:58:02 | 000,144,408 | ---- | M] (VMware, Inc.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\vmhgfs.sys -- (vmhgfs)
DRV - [2012/10/31 19:57:14 | 000,017,968 | ---- | M] (VMware, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\vmscsi.sys -- (vmscsi)
DRV - [2012/08/24 14:43:18 | 000,301,920 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2012/07/26 02:21:30 | 000,237,408 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2012/04/19 03:50:26 | 000,024,896 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\avgidshx.sys -- (AVGIDSHX)
DRV - [2012/01/31 03:46:50 | 000,031,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2012/01/12 18:52:06 | 000,030,944 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avgfwdx.sys -- (Avgfwfd)
DRV - [2012/01/12 18:52:06 | 000,030,944 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avgfwdx.sys -- (Avgfwdx)
DRV - [2011/12/23 12:32:14 | 000,041,040 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/12/23 12:32:08 | 000,017,232 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avgidsshimx.sys -- (AVGIDSShim)
DRV - [2011/12/23 12:32:06 | 000,024,144 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avgidsfilterx.sys -- (AVGIDSFilter)
DRV - [2011/12/23 12:32:00 | 000,139,856 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avgidsdriverx.sys -- (AVGIDSDriver)
DRV - [2008/10/05 19:27:29 | 000,036,400 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lgtosync.sys -- (LGTO_Sync)
DRV - [2008/04/13 18:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2001/08/17 12:19:34 | 000,040,704 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\es1371mp.sys -- (es1371)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.c...pr&d=2011-11-30 16:21:54&v=10.0.0.7&sap=dsp&q={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin: C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\13.2.0\\npsitesafety.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/10/14 11:56:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@toolbar: C:\Documents and Settings\All Users\Application Data\AVG Secure Search\FireFoxExt\13.2.0.5 [2013/01/09 07:19:22 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2006/02/28 12:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll ()
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll ()
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [ROC_roc_dec12] C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe ()
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exe (VMware, Inc.)
O4 - HKLM..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\vmtoolsd.exe (VMware, Inc.)
O4 - HKLM..\Run: [vProt] C:\Program Files\AVG Secure Search\vprot.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSimpleNetIDList = 1
O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\vsocklib.dll (VMware, Inc.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.171.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6957145A-C42C-4BF4-8B2C-62D9459BDD04}: DhcpNameServer = 192.168.171.2
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\TPSvc: DllName - (TPSvc.dll) - C:\WINDOWS\System32\TPSvc.dll (Cortado AG)
O20 - Winlogon\Notify\VMUpgradeAtShutdown: DllName - (VMUpgradeAtShutdownWXP.dll) - C:\WINDOWS\System32\VMUpgradeAtShutdownWXP.dll (VMware, Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/05 19:21:28 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/01/11 15:33:09 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2013/01/09 07:22:39 | 002,213,976 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner\My Documents\tdsskiller.exe
[2013/01/09 07:19:15 | 000,026,984 | ---- | C] (AVG Technologies) -- C:\WINDOWS\System32\drivers\avgtpx86.sys
[2013/01/04 18:11:31 | 000,000,000 | ---D | C] -- C:\WorkBackup
[2013/01/04 17:58:26 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\VMware
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/01/11 15:33:09 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2013/01/11 15:29:57 | 105,710,294 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2013/01/11 15:29:03 | 000,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2013/01/11 15:26:07 | 000,000,398 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VMware Shared Folders.lnk
[2013/01/11 15:25:29 | 000,013,744 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/01/11 15:25:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/01/10 20:17:53 | 000,432,414 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/01/10 20:17:53 | 000,067,668 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/01/09 07:22:39 | 002,213,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner\My Documents\tdsskiller.exe
[2013/01/09 07:19:09 | 000,026,984 | ---- | M] (AVG Technologies) -- C:\WINDOWS\System32\drivers\avgtpx86.sys
[2013/01/07 00:05:34 | 000,142,832 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/01/06 23:26:43 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/01/04 17:52:58 | 000,629,730 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavifw.avm
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/21 10:40:52 | 000,023,892 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2012/02/17 12:48:48 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/01/24 10:09:58 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\SGSTDREG.dll
[2012/01/24 10:09:54 | 000,245,760 | ---- | C] () -- C:\WINDOWS\System32\SageEventHandler.exe
[2012/01/24 10:09:12 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\SGRegister.dll
[2012/01/24 10:09:08 | 000,253,952 | ---- | C] () -- C:\WINDOWS\System32\SGWebBrowser.dll
[2012/01/24 10:09:02 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\SGJPEG32.dll
[2012/01/24 10:08:30 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\SageFolderBrowser.dll

========== ZeroAccess Check ==========

[2010/05/20 14:21:39 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/14 00:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 12:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/14 00:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2013/01/09 07:19:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Secure Search
[2012/03/22 16:58:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2011/11/30 16:18:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2011/03/16 13:12:53 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2013/01/11 15:31:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2012/03/23 11:40:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sage
[2011/11/30 16:06:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Temp
[2011/11/30 16:21:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AVG Secure Search
[2011/11/30 16:22:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AVG2012
[2011/06/19 08:08:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AVG9
[2010/07/26 14:22:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Sage

========== Purity Check ==========



< End of report >

[Jackgray]

And here's the "Extras.Txt":


OTL Extras logfile created on: 11/01/2013 15:34:30 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

511.48 Mb Total Physical Memory | 222.64 Mb Available Physical Memory | 43.53% Memory free
864.39 Mb Paging File | 507.55 Mb Available in Paging File | 58.72% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.99 Gb Total Space | 9.15 Gb Free Space | 45.78% Space Free | Partition Type: NTFS
Drive Z: | 110.99 Gb Total Space | 33.73 Gb Free Space | 30.39% Space Free | Partition Type: HGFS

Computer Name: GRAYS-71E438D86 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = SafariHTML] -- C:\Program Files\Safari\Safari.exe (Apple Inc.)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Safari\Safari.exe" -url "%1" (Apple Inc.)
https [open] -- "C:\Program Files\Safari\Safari.exe" -url "%1" (Apple Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\AVG\AVG2012\avgmfapx.exe" = C:\Program Files\AVG\AVG2012\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgnsx.exe" = C:\Program Files\AVG\AVG2012\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgdiagex.exe" = C:\Program Files\AVG\AVG2012\avgdiagex.exe:*:Enabled:AVG Diagnostics 2012 -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgemcx.exe" = C:\Program Files\AVG\AVG2012\avgemcx.exe:*:Enabled:Personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0654EEE0-53F6-4FF4-839D-CFDDC4761687}" = Payroll for Windows
"{1331635B-6E50-410A-8DE7-5534D3E2B8BE}" = Sage 50 Payroll
"{1BF84DA0-739B-4377-924E-CFE971C3D1BE}" = Payroll for Windows
"{1E1645F2-8392-48DD-9B4C-7ACEF84D0093}" = Payroll for Windows
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{303379C9-8610-4CCF-AF37-C4BF8998C591}" = Roxio Media Manager
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3940B071-0FCC-49F6-A391-90CAC2E067BE}" = Sage 50 Payroll
"{3DEC07EB-2F06-40E3-B65F-1D3C76DE2614}" = Payroll for Windows
"{3FC29AC3-68C5-4D75-9681-F53D2B393E80}" = DotNet20withMsi30
"{45D49DF7-7B32-4438-8ED6-C7AE6ED3956C}" = Sage 50 Payroll
"{4856D36C-43EB-4D9C-B2EA-CFEE7B945E4F}" = AVG 2012
"{49CB6467-E86C-4A16-9107-A2FEA3AA2021}" = Sage 50 Payroll
"{582D2A53-F426-4C5E-A2E6-43C1AB36B907}" = Safari
"{59AB7E85-011F-461C-82BA-EFBFE50FFD39}" = Payroll for Windows
"{5A1459E4-4D64-4B15-9720-399706CC5367}" = Payroll for Windows
"{5FE92453-1E04-4385-9D3B-D9B3F02F556A}" = Payroll for Windows
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4E5E9A9-BC6C-476C-8D32-12AFE348CA9D}" = VMware Tools
"{A8817A8C-7D1F-4135-91AD-AFE21E1B357F}" = Payroll for Windows
"{B69C390B-826F-473C-86EB-7AD4950818C3}" = AVG 2012
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CC93A117-A862-40E4-8B87-01D820190076}" = Sage 50 Payroll
"{CCF300E5-E44B-43FA-BF8E-9E83EFD7413C}" = Payroll for Windows
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D793A12F-E362-48BB-B332-1DA5E936B52D}" = BlackBerry Desktop Software 4.3
"{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}" = Microsoft WSE 2.0 SP3 Runtime
"{FA586006-3667-4F43-97E7-98E2A39A41A6}" = Payroll for Windows
"{FC70C2C3-D590-43B9-B9C4-6905BCCEF62D}" = Payroll for Windows
"AVG" = AVG 2012
"AVG Secure Search" = AVG Security Toolbar
"BlackBerry_{D793A12F-E362-48BB-B332-1DA5E936B52D}" = BlackBerry Desktop Software 4.3
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 05/10/2011 09:12:36 | Computer Name = GRAYS-71E438D86 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 06/10/2011 11:05:00 | Computer Name = GRAYS-71E438D86 | Source = ESENT | ID = 490
Description = svchost (1380) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 06/10/2011 11:05:00 | Computer Name = GRAYS-71E438D86 | Source = ESENT | ID = 470
Description = Catalog Database (1380) Database C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
is partially attached. Attachment stage: 3. Error: -1032.

Error - 28/11/2011 15:20:24 | Computer Name = GRAYS-71E438D86 | Source = HotFixInstaller | ID = 5000
Description = EventType visualstudio8setup, P1 microsoft .net framework 2.0-kb2572073,
P2 1033, P3 1618, P4 msi, P5 f, P6 9.0.40215.0, P7 install, P8 x86, P9 xp, P10
0.

Error - 28/11/2011 15:29:48 | Computer Name = GRAYS-71E438D86 | Source = LoadPerf | ID = 3014
Description = Unable to update the performance counter explain text strings of the
009
language ID. The Win32 status returned by the call is the first DWORD in Data section.

Error - 28/11/2011 15:29:48 | Computer Name = GRAYS-71E438D86 | Source = LoadPerf | ID = 3009
Error - 28/11/2011 15:29:48 | Computer Name = GRAYS-71E438D86 | Source = LoadPerf
| ID = 3001

Description = The performance counter name string value in the registry is incorrectly
formatted. The bogus string is 11126, the bogus index value is the first
DWORD in Data section while the last valid index values are the second and
third DWORD in Data section.
Error - 28/11/2011 15:29:48 | Computer Name = GRAYS-71E438D86 | Source = LoadPerf
| ID = 3011

Description = Unloading the performance counter strings for service ASP.NET (ASP.NET) failed. The
Error code is the first DWORD in Data section.
Error - 14/01/2012 05:51:24 | Computer Name = GRAYS-71E438D86 | Source = LoadPerf
| ID = 3001

Description = The performance counter name string value in the registry is incorrectly
formatted. The bogus string is 11126, the bogus index value is the first
DWORD in Data section while the last valid index values are the second and
third DWORD in Data section.
Error - 14/01/2012 05:51:24 | Computer Name = GRAYS-71E438D86 | Source = LoadPerf
| ID = 3011

Description = Unloading the performance counter strings for service aspnet_state (ASP.NET State Service) failed. The
Error code is the first DWORD in Data section.
Error - 14/01/2012 05:51:24 | Computer Name = GRAYS-71E438D86 | Source = LoadPerf
| ID = 3001

Description = The performance counter name string value in the registry is incorrectly
formatted. The bogus string is 11126, the bogus index value is the first
DWORD in Data section while the last valid index values are the second and
third DWORD in Data section.

Error encountered while reading event logs.

< End of report >

[DonnaB]

Perfect! Thanks for the logs.

Kick back and relax for a time (or 2). Looking over the logs will definitely take some time.

I'll report back as soon as possible with your next set of instructions.

[DonnaB]

Hi Jackgray,

Could you provide the AVG scan results, please? We'd like to see the log that stated what was found/removed/detected.

I'm sure you know where to find the scan result logs, though I'll provide this link just in case.

Thanks!

[Jackgray]

Hi Donna, The warning of 191 Rootkits / IRP Hook has vanished. This scan report shows 16

"";"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\IntelIde IRP_MJ_INTERNAL_DEVICE_CONTROL -> PCIIDEX.SYS PciIdeXDebugPrint+0x2E38";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\IntelIde IRP_MJ_POWER -> PCIIDEX.SYS +0x692";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\IntelIde IRP_MJ_SYSTEM_CONTROL -> PCIIDEX.SYS PciIdeXDebugPrint+0x2DB4";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\IntelIde IRP_MJ_PNP -> PCIIDEX.SYS PciIdeXDebugPrint+0x2D80";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_CREATE -> CLASSPNP.SYS ClassDebugPrint+0x618";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_CLOSE -> CLASSPNP.SYS ClassDebugPrint+0x618";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_READ -> CLASSPNP.SYS ClassCompleteRequest+0x13C";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_WRITE -> CLASSPNP.SYS ClassCompleteRequest+0x13C";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_FLUSH_BUFFERS -> CLASSPNP.SYS ClassIoComplete+0xEF";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_DEVICE_CONTROL -> CLASSPNP.SYS ClassIoComplete+0x1C8";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_INTERNAL_DEVICE_CONTROL -> CLASSPNP.SYS ClassInternalIoControl";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_SHUTDOWN -> CLASSPNP.SYS ClassIoComplete+0xEF";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_POWER -> CLASSPNP.SYS ClassForwardIrpSynchronous+0xD8";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_SYSTEM_CONTROL -> CLASSPNP.SYS ClassInitialize+0x666";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_PNP -> CLASSPNP.SYS ClassDebugPrint+0x6FB";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\drivers\SCSIPORT.SYS";"IRP hook, \Driver\vmscsi DriverStartIo -> SCSIPORT.SYS ScsiPortGetUncachedExtension+0x1F06";"Object is hidden"

The virtual machine has started to misbehave a little on first booting up. The window / screen turns black and only reverts to normal display when some action changes the display. For instance when the AVG Firewall reports that it is active a notification slides up from the bottom right corner. When this retracts it leaves behind a strip of Desktop instead of the black. Might have nothing to do with the Rootkit thing but does seem odd. The Mac desktop continues to behave normally behind the Windows window.

[DonnaB]

Hi Jackgray,

I believe we have a case of AVG reporting False Positives here, which it is notorious for. To verify this could you please uninstall your AVG 2012 software and install Microsoft Security Essentials (MSE)?

The best way to uninstall one AV and reinstall another and stay safe doing so is as follows:

Step 1:

• Please download the AVG removal tool from HERE to your desktop.
• From the list of removal tools, choose AVG Remover(32bit) 2012 (3rd one down)
• Do not install just yet!

Step 2:

• Please download Microsoft Security Essentials (MSE) from HERE to your desktop.
• Under Quick details choose enus\x86\mseinstall.exe from the list (2nd one).
• Do not install just yet!

Disconnect from the internet and follow these instructions below to uninstall AVG then install MSE:

Step 3:

• Go to your Add/Remove programs and uninstall AVG.
• Install and run the AVG removal tool.
• Install MSE.
• Reconnect to the internet to update MSE, then run a scan.

Please report the results of the scan in your next reply.

The Mac desktop continues to behave normally behind the Windows window.

That is due to the issue being contained within the VM.

Thank you,

Donna

[Jackgray]

Hi Donna, Just done the necessary and MSE reports in the History tab under "All detected Items" = nothing, zero, diddlysquat.

So I presume that I'm OK. Thanks a million for your help, much appreciated. Sadly it is most unlikely that I'll ever be able to return the favour.
Does that mean that all the time it was my AVG being paranoid?
My AVG licence runs until July and it includes three machines (including the Virtual Machine on the Mac lappy involved)
ie, My Windows Desktop at home running XP and my Office Desktop running Windows 7.
What would you suggest? Scrap AVG and change to some thing else now? Wait to July and then switch? Reinstall AVG on the VM because a bit of paranoia is better than being useless?
Generally speaking my windows machines aren't used for browsing or eMail but communicate through Dropbox or flash drive for work purposes. My own stuff is Mac based.

[DonnaB]

Hi Jackgray,

That's great news! Seems AVG was having a really bad day.

I'm confident that you're ok, though if you don't mind, I have one more request for you:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

Now to answer your questions:

Concerning the laptop:

After an indepth discussion with my instruction, I have to agree with him that AVG is not playing well with your XP in the VM. I'm quite sure the excitement due to AVG's bout of paranoia was tons of fun for you, but I'd suggest keeping MSE installed, and since you use it for work purposes you'll need to install a 3rd party Firewall for extra protection. I would like to suggest the Comodo Firewall. Very easy Firewall to configure. We'd be more than happy to answer any questions concerning the configuration of, so don't hesitate to ask!

Do you have an AV on your Mac? If not, I'd like to suggest Avast for Mac's. Even Mac's are susceptible to infection though they are not targeted as Windows are since the creators of malware find them less profitable.

Since your license for AVG is good till July, and you're not having any issues, I'd keep AVG on the other 2 PC's and get my moneys worth. You can decide then if you'd like to change AV's. Personally, I like free. Gave up a years subscription to Panda after only 3 months into the license after I was introduced to the free version of Avast and haven't looked back. If you do choose to switch, Win7 has a great Firewall of it's own though your desktop at home that runs XP will need a 3rd party Firewall.

You mentioned that you basically use the Windows machines to communicate through Dropbox or flash drive for work purposes. Make sure that autorun is disabled. That'll be an added incentive to prevent infection from spreading.

Sadly it is most unlikely that I'll ever be able to return the favour.

Your appreciation for my help is priceless! It was truly a privilege to help you.

Let us know how the ESET scan turns out or if anything is found.

Donna

[DonnaB]

Hi Jackgray,

How's your computer running? Ok?

Subject to no more questions we can consider this matter resolved.

[Jackgray]

Hi Donna. Sorry to not get back to you before. I haven't been able to get back to the Lap top. Will give a it a try later and change the firewall as suggested. Thanks again, it's looking good so far. I would never have guessed that it could be a problem with my antivirus.
Currently my Macs are running without Anti Virus. Old school wisdom advised it. I did try Norton on my G5 many moons ago but it was like a virus itself slowing the machine right down and firing off popups all over the place, and took a [bleep] of a lot of effort to uninstall, like getting a winkle out of its shell. Times change and being one who follows advice when outside my own areas of expertise I'll give avast a go. Cheers Gray

Edited by Jackgray, 19 January 2013 - 05:39 AM.

[DonnaB]

Not to worry! I thought I scared you off with that last post! Glad to hear all is fine so far. Whenever you find the time.

[Jackgray]

The ESET Scan reports "No Threats Found" and the "Log.txt" file is empty.
So looks like I'm done and dusted until the next time. Thanks again.