Solved Redirect and update/virus scan blocking malware

S

severedgein

Posts: 54   +0
Hello again,

Trying to clean up computers at work again, thankfully this bug hasn't spread across the network, and it seems pretty benign for the most part, but I'd appreciate your help getting it off so I can get AVG and Windows updates working properly again.

Symptoms:
It's completely blocking Microsoft updates; it's giving me a constant Microsoft Security Alert about "automatic updates are turned off" and cannot be enabled nor does going directly to the Microsoft update site work. Also, the virus protection is labeled as "Best Malware Protection" in the virus part of MS Sec. Alerts.

It's blocking most of the features in AVG free 2012; all scans are missing, and won't run when using the scan features in the system tray icon, and updates are blocked/simply don't run.

Lastly, the homepage for IE has been changed to "encrypted.google.com" and redirects after the 3rd or so page opened to some Yellowpages.com site; also the ability to adjust settings in IE has been completely blocked/greyed out.

Logs:
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.29.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
ws1 :: WS101 [administrator]

2/29/2012 8:24:13 AM
mbam-log-2012-02-29 (08-24-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 268702
Time elapsed: 14 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
-------------------------------------------------------------------------------
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-02-29 08:47:02
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e WDC_WD800JD-75MSA3 rev.10.01E04
Running: feym0l94.exe; Driver: C:\DOCUME~1\WS1~1.PSB\LOCALS~1\Temp\pxtdqpog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

----------------------------------------------------------------------------------
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by ws1 at 8:50:05 on 2012-02-29
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.617 [GMT -5:00]
.
AV: Best Malware Protection *Enabled/Updated* {22DD0267-B573-4DF4-B355-112ED9B117EE}
FW: Best Malware Protection *Enabled*
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uStart Page = hxxp://encrypted.google.com/
uDefault_Page_URL = hxxp://companyweb
uSearch Bar =
mSearchAssistant =
mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=60252
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Search Assistant: {f0626a63-410b-45e2-99a1-3f2475b2d695} - c:\program files\sgpsa\BHO.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: bethesdahealthcare.com
Trusted Zone: bethesdahealthcare.com\bcsg2
DPF: MIW Deployment - hxxps://64.135.121.50/downloads/MIWDeploy.cab
DPF: {36F4234C-854C-48DD-90F1-708FA0F19562} - hxxp://pyramisweb.bethesdahealthcare.com/PyramisUI/downloads/PyramHelp.CAB
DPF: {4912ED81-BD9F-485E-86CA-BD62EC957435} - hxxps://ecospda.bethesdahealthcare.com/SOARIANWEBPROD2_020551029_M0K0_p_htm_26//sframe/IETools.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1318263123862
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {A7B17C34-D894-11D3-AE37-0050DA39FE5C} - hxxps://magicweb.bethesdahealthcare.com/magicweb/cabs/WebClientInstall.cab
DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} - hxxps://techinline.net/Client/TIClient.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxps://pacs.floridaopenimaging.com/plugins/jre/1_4/amicasjreinstaller_1_4_silent.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FFA315A3-20D3-11CF-8FDD-943611C10000} - hxxps://netaccess.bethesdahealthcare.com/NTAPSMS-NTAP-HTM/webPrint.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{D33FCFC5-C20A-4187-9630-34890668D0D4} : DhcpNameServer = 192.168.1.254
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: image file execution options - svchost.exe
Hosts: 192.168.1.200 server
Hosts: 74.50.127.5 www.google.com
Hosts: 74.50.127.5 google.com
Hosts: 74.50.127.5 google.com.au
Hosts: 74.50.127.5 www.google.com.au
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-10-5 65584]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-2-15 47640]
R2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\microsoft.net\framework\v1.1.4322\netfxupdate.exe [2007-1-15 73728]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-27 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
S3 B-Service;B-Service;c:\documents and settings\ws1.psboynton\local settings\temporary internet files\content.ie5\kper4tef\b-service.exe --> c:\documents and settings\ws1.psboynton\local settings\temporary internet files\content.ie5\kper4tef\B-Service.exe [?]
S4 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
S4 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2012-02-27 14:31:28 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-27 14:01:21 -------- d-----w- c:\documents and settings\ws1.psboynton\application data\AVG
.
==================== Find3M ====================
.
2012-02-27 14:31:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-16 21:51:03 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-20 14:09:15 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-12-20 14:09:15 52096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-12-20 14:09:14 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-12-20 14:09:14 30592 ----a-w- c:\windows\system32\LMIport.dll
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-06 19:07:52 3162632 ----a-w- c:\documents and settings\ws1.psboynton\application data\sm-b3142512904a73eaa37abe95da908c7e.exe
.
============= FINISH: 8:50:49.23 ===============
--------------------------------------------------------------------------------------

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/11/2007 3:08:30 PM
System Uptime: 2/27/2012 9:25:34 AM (47 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P5S800-VM
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | CPU 1 | 3192/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 29.766 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP451: 6/4/2008 12:35:35 PM - Installed AVG 8.0
RP452: 6/4/2008 1:24:17 PM - Installed AVG 8.0
.
==== Hosts File Hijack ======================
.
Hosts: 192.168.1.200 server
Hosts: 74.50.127.5 www.google.com
Hosts: 74.50.127.5 google.com
Hosts: 74.50.127.5 google.com.au
Hosts: 74.50.127.5 www.google.com.au
Hosts: 74.50.127.5 google.be
Hosts: 74.50.127.5 www.google.be
Hosts: 74.50.127.5 google.com.br
Hosts: 74.50.127.5 www.google.com.br
Hosts: 74.50.127.5 google.ca
Hosts: 74.50.127.5 www.google.ca
Hosts: 74.50.127.5 google.ch
Hosts: 74.50.127.5 www.google.ch
Hosts: 74.50.127.5 google.de
Hosts: 74.50.127.5 www.google.de
Hosts: 74.50.127.5 google.dk
Hosts: 74.50.127.5 www.google.dk
Hosts: 74.50.127.5 google.fr
Hosts: 74.50.127.5 www.google.fr
Hosts: 74.50.127.5 google.ie
Hosts: 74.50.127.5 www.google.ie
Hosts: 74.50.127.5 google.it
Hosts: 74.50.127.5 www.google.it
Hosts: 74.50.127.5 google.co.jp
Hosts: 74.50.127.5 www.google.co.jp
Hosts: 74.50.127.5 google.nl
Hosts: 74.50.127.5 www.google.nl
Hosts: 74.50.127.5 google.no
Hosts: 74.50.127.5 www.google.no
Hosts: 74.50.127.5 google.co.nz
Hosts: 74.50.127.5 www.google.co.nz
Hosts: 74.50.127.5 google.pl
Hosts: 74.50.127.5 www.google.pl
Hosts: 74.50.127.5 google.se
Hosts: 74.50.127.5 www.google.se
Hosts: 74.50.127.5 google.co.uk
Hosts: 74.50.127.5 www.google.co.uk
Hosts: 74.50.127.5 google.co.za
Hosts: 74.50.127.5 www.google.co.za
Hosts: 74.50.127.5 www.google-analytics.com
Hosts: 74.50.127.5 www.bing.com
Hosts: 74.50.127.5 search.yahoo.com
Hosts: 74.50.127.5 www.search.yahoo.com
Hosts: 74.50.127.5 uk.search.yahoo.com
Hosts: 74.50.127.5 ca.search.yahoo.com
Hosts: 74.50.127.5 de.search.yahoo.com
Hosts: 74.50.127.5 fr.search.yahoo.com
Hosts: 74.50.127.5 au.search.yahoo.com
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe Flash Player 11 ActiveX
Adobe Reader 8.1.5
AsusUpdate
AVG 2012
AVG PC Tuneup
CaptureCAM-PLAYER
Citrix online plug-in - web
Citrix online plug-in (DV)
Citrix online plug-in (HDX)
Citrix online plug-in (USB)
Citrix online plug-in (Web)
Crystal Reports 10 Support Files
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment, SE v1.4.2_06
Java Auto Updater
Java(TM) 6 Update 31
Lytec 2011 Professional
Malwarebytes Anti-Malware version 1.60.1.1000
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
MSXML 6 Service Pack 2 (KB973686)
Realtek AC'97 Audio
Revenue Management
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Shadow Copy Client
SiS VGA Utilities
SiSAGP driver
SQL Admin Studio
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
.
==== Event Viewer Messages From Past Week ========
.
2/27/2012 9:28:35 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
2/23/2012 9:02:31 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LMIGuardianSvc service to connect.
2/23/2012 9:02:31 AM, error: Service Control Manager [7000] - The LogMeIn Kernel Information Provider service failed to start due to the following error: The system cannot find the file specified.
2/23/2012 9:02:31 AM, error: Service Control Manager [7000] - The LMIGuardianSvc service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/23/2012 9:02:31 AM, error: Service Control Manager [7000] - The ASInsHelp service failed to start due to the following error: The system cannot find the file specified.
2/23/2012 9:02:26 AM, error: NETLOGON [5719] - No Domain Controller is available for domain PSBOYNTON due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
.
==== End Of File ===========================

THANK YOU!!! :grinthumb
 
Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=====================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

=====================================================================

  • Download RogueKiller on the desktop
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Click on SCAN.
    [/b]
  • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
 
Here are the logs:

aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-03-02 16:05:21
-----------------------------
16:05:21.093 OS Version: Windows 5.1.2600 Service Pack 3
16:05:21.093 Number of processors: 2 586 0x409
16:05:21.093 ComputerName: WS101 UserName: ws1
16:05:21.640 Initialize success
16:08:01.687 AVAST engine defs: 12030201
16:08:12.546 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
16:08:12.546 Disk 0 Vendor: WDC_WD800JD-75MSA3 10.01E04 Size: 76293MB BusType: 3
16:08:12.562 Disk 0 MBR read successfully
16:08:12.562 Disk 0 MBR scan
16:08:12.609 Disk 0 Windows XP default MBR code
16:08:12.609 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76285 MB offset 63
16:08:12.609 Disk 0 scanning sectors +156232125
16:08:12.718 Disk 0 scanning C:\WINDOWS\system32\drivers
16:08:28.109 Service scanning
16:08:44.453 Modules scanning
16:08:48.968 Disk 0 trace - called modules:
16:08:49.000 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
16:08:49.000 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b1dab8]
16:08:49.000 3 CLASSPNP.SYS[f789afd7] -> nt!IofCallDriver -> \Device\00000064[0x86b489e8]
16:08:49.000 5 ACPI.sys[f7811620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x86b68940]
16:08:49.656 AVAST engine scan C:\WINDOWS
16:09:09.328 AVAST engine scan C:\WINDOWS\system32
16:12:07.093 File: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_08eaa53a\System.Drawing.dll **HIDDEN**
16:12:10.906 AVAST engine scan C:\WINDOWS\system32\drivers
16:12:36.640 AVAST engine scan C:\Documents and Settings\ws1.PSBOYNTON
16:15:59.546 AVAST engine scan C:\Documents and Settings\All Users
16:17:42.296 Scan finished successfully
16:17:58.843 Disk 0 MBR has been saved successfully to "\\Rsxp1\transcriptions\MBR.dat"
16:17:58.843 The log file has been saved successfully to "\\Rsxp1\transcriptions\aswMBR.txt"


-------------------------------------------------------------------------

RogueKiller V7.2.1 [02/29/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: ws1 [Admin rights]
Mode: Scan -- Date: 03/02/2012 16:19:32

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 1 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
192.168.1.200 server
74.50.127.5 www.google.com
74.50.127.5 google.com
74.50.127.5 google.com.au
74.50.127.5 www.google.com.au
74.50.127.5 google.be
74.50.127.5 www.google.be
74.50.127.5 google.com.br
74.50.127.5 www.google.com.br
74.50.127.5 google.ca
74.50.127.5 www.google.ca
74.50.127.5 google.ch
74.50.127.5 www.google.ch
74.50.127.5 google.de
74.50.127.5 www.google.de
74.50.127.5 google.dk
74.50.127.5 www.google.dk
74.50.127.5 google.fr
74.50.127.5 www.google.fr
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD800JD-75MSA3 +++++
--- User ---
[MBR] 183ede5eccbb09d77dd5816cdb825a43
[BSP] fea7d0aec7c8225e513472eb3d9581a0 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76285 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

---------------------------------------------------

This is an office computer, so I won't be back to follow up on this until Monday, but I await your further instructions. Thank you for your help Broni!
 
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe
  • Double-click on the Rkill icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
I ran combofix. However, my system restarted itself around step-26/27, then had to run chkdsk and subsequently didn't produce the log because it rebooted again after chkdsk. Upon restart automatic updates are now enabled, and the message in security alerts only shows that there is no anti-virus installed** instead of mentioning Best Malware Protection. I didn't check IE for the ability to adjust options or adjust the firewall settings (which I forgot to mention were also locked before).

**(though AVG is installed and booted when the system restarted, which I promptly exited expecting Combofix to restart)

Should I re-run Combofix so it (hopefully) produces a log? Or is there somewhere else I should search for a log that may have been produced the first time other than "C:\", My Documents, and the Desktop?
 
Discovered the problem why it was restarting, the CPU was overheating. I had to use the second "if Combofix won't run" method to get it to finish (after putting a desk fan next to the cabinet) because after the last restart Combo fix would not open the blue window after running the initial startup screen. Also, the redirects/blocked internet options were still present before Combofix did manage to run, Windows update was not re-blocked though.

log:

ComboFix 12-03-07.02 - ws1 03/07/2012 9:46.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.590 [GMT -5:00]
Running from: c:\documents and settings\ws1.PSBOYNTON\Desktop\your_name.exe
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\d9b4a3
c:\documents and settings\All Users\Application Data\d9b4a3\276.mof
c:\documents and settings\All Users\Application Data\d9b4a3\BMP.ico
c:\documents and settings\All Users\Application Data\d9b4a3\d9b4a342fb5d1675d500786ffb12f0df.ocx
c:\documents and settings\All Users\Application Data\d9b4a3\fz6an7tm9q01u8zgi01kn6glxy2xvje7tm9q01u8z6sq01u8z6aw.dll
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\newpc02\WINDOWS
c:\documents and settings\ws1.PSBOYNTON\Application Data\sm-b3142512904a73eaa37abe95da908c7e.exe
c:\documents and settings\ws1.PSBOYNTON\Local Settings\Application Data\ejrp.exe
c:\documents and settings\ws1.PSBOYNTON\Local Settings\Application Data\ojyd.exe
c:\documents and settings\ws1.PSBOYNTON\Local Settings\Application Data\vqwj.exe
c:\documents and settings\ws1.PSBOYNTON\Local Settings\Application Data\xpvs.exe
C:\hosts
c:\windows\iun6002.exe
c:\windows\regedit.com
c:\windows\regsvr32.exe
c:\windows\system32\_000125_.tmp.dll
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\5955b5899b1b00b4.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\SET198.tmp
c:\windows\system32\SET19C.tmp
c:\windows\system32\SET19D.tmp
c:\windows\system32\SET1A4.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-02-07 to 2012-03-07 )))))))))))))))))))))))))))))))
.
.
2012-03-07 14:22 . 2012-03-07 14:36 -------- d-----w- C:\ComboFix
2012-03-07 14:02 . 2012-03-07 14:02 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-03-07 13:58 . 2012-03-07 13:58 -------- d-----w- C:\found.000
2012-03-07 09:03 . 2012-03-07 09:03 -------- d-----w- C:\caa6c23f234c07a82a4f7e
2012-03-06 22:04 . 2011-07-15 13:29 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-03-06 22:04 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2012-03-06 22:02 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2012-03-06 22:02 . 2010-08-27 08:02 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2012-03-06 22:02 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2012-03-06 22:01 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-03-06 22:01 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-03-06 21:54 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2012-03-06 21:53 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-03-06 21:53 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-03-06 21:53 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-03-06 21:50 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2012-03-06 21:49 . 2010-08-16 08:45 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2012-02-27 14:31 . 2012-02-27 14:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-27 14:01 . 2012-02-27 14:03 -------- d-----w- c:\documents and settings\ws1.PSBOYNTON\Application Data\AVG
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-27 14:31 . 2011-10-10 17:04 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-16 21:51 . 2011-08-05 13:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 16:53 . 2006-02-28 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-20 14:09 . 2010-02-15 15:10 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-12-20 14:09 . 2010-02-15 15:10 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2011-12-20 14:09 . 2010-02-15 15:10 30592 ----a-w- c:\windows\system32\LMIport.dll
2011-12-20 14:09 . 2010-02-15 15:09 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-12-17 19:46 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-12-10 20:24 . 2010-02-22 18:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 77824]
"SiSPower"="SiSPower.dll" [2005-03-03 49152]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-03-11 300400]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-12-20 14:09 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_TRAY]
2012-01-24 22:24 2416480 ----a-w- c:\program files\AVG\AVG2012\avgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avgwd"=2 (0x2)
"AVGIDSAgent"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lytec 2011\\Lytec.exe"=
"c:\\Program Files\\Simego\\SQL Admin Studio\\Simego.SQLTools.Explorer.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 6:23 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [10/5/2009 9:08 AM 65584]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/27/2010 8:20 AM 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 6:21 AM 16720]
S3 B-Service;B-Service;c:\documents and settings\ws1.PSBOYNTON\Local Settings\Temporary Internet Files\Content.IE5\KPER4TEF\B-Service.exe --> c:\documents and settings\ws1.PSBOYNTON\Local Settings\Temporary Internet Files\Content.IE5\KPER4TEF\B-Service.exe [?]
S4 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
S4 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-07 c:\windows\Tasks\AVG PC Tuneup Integrator Start On ws1 Logon.job
- c:\program files\AVG\AVG PC Tuneup\BoostSpeed.exe [2012-02-27 22:20]
.
2012-03-07 c:\windows\Tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_PSBOYNTON_ws1.job
- c:\windows\system32\mobsync.exe [2006-02-28 10:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://encrypted.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: bethesdahealthcare.com
Trusted Zone: bethesdahealthcare.com\bcsg2
TCP: DhcpNameServer = 192.168.1.254
DPF: MIW Deployment - hxxps://64.135.121.50/downloads/MIWDeploy.cab
DPF: {36F4234C-854C-48DD-90F1-708FA0F19562} - hxxp://pyramisweb.bethesdahealthcare.com/PyramisUI/downloads/PyramHelp.CAB
DPF: {4912ED81-BD9F-485E-86CA-BD62EC957435} - hxxps://ecospda.bethesdahealthcare.com/SOARIANWEBPROD2_020551029_M0K0_p_htm_26//sframe/IETools.cab
DPF: {A7B17C34-D894-11D3-AE37-0050DA39FE5C} - hxxps://magicweb.bethesdahealthcare.com/magicweb/cabs/WebClientInstall.cab
DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} - hxxps://techinline.net/Client/TIClient.cab
DPF: {FFA315A3-20D3-11CF-8FDD-943611C10000} - hxxps://netaccess.bethesdahealthcare.com/NTAPSMS-NTAP-HTM/webPrint.cab
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
MSConfigStartUp-Best Malware Protection - c:\documents and settings\All Users\Application Data\d9b4a3\BMd9b_2285.exe
MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
MSConfigStartUp-vProt - c:\program files\AVG Secure Search\vprot.exe
AddRemove-CaptureCAM-PLAYER - c:\windows\iun6002.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-07 09:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\LMIinit.dll
.
Completion time: 2012-03-07 10:02:28
ComboFix-quarantined-files.txt 2012-03-07 15:02
.
Pre-Run: 62,731,247,616 bytes free
Post-Run: 62,929,498,112 bytes free
.
- - End Of File - - 858DCE1C85DBBA207107E3F7BB82DC15
 
Discovered the problem why it was restarting, the CPU was overheating
Click to expand...
Did you take care of it?

Combofix log looks good.
Is the redirection gone?

Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\tasks\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Redirects are still present after Combofix. CPU was only overheating when using Combofix, regular use on the computer has never caused that to my knowledge, but as a temp fix, yeah I fixed it.

OTL logfile created on: 3/7/2012 4:27:38 PM - Run 1
OTL by OldTimer - Version 3.2.35.1 Folder = C:\Documents and Settings\ws1.PSBOYNTON\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

991.23 Mb Total Physical Memory | 508.86 Mb Available Physical Memory | 51.34% Memory free
2.33 Gb Paging File | 1.94 Gb Available in Paging File | 83.09% Paging File free
Paging file location(s): C:\pagefile.sys 1488 2976 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 58.58 Gb Free Space | 78.63% Space Free | Partition Type: NTFS

Computer Name: WS101 | User Name: ws1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/07 16:27:12 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\OTL.exe
PRC - [2010/03/10 23:22:04 | 000,599,408 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\wfcrun32.exe
PRC - [2010/03/10 23:21:16 | 000,300,400 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\concentr.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/11/15 05:20:20 | 000,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (B-Service)
SRV - [2011/12/20 09:09:14 | 000,374,152 | ---- | M] (LogMeIn, Inc.) [Auto | Stopped] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Disabled | Stopped] -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Disabled | Stopped] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (mbr)
DRV - File not found [Kernel | Auto | Stopped] -- -- (LMIInfo)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - File not found [Kernel | Auto | Stopped] -- -- (ASInsHelp)
DRV - [2011/12/20 09:09:15 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2011/10/07 06:23:48 | 000,230,608 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2011/10/04 06:21:42 | 000,016,720 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/09/13 06:30:10 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/08/08 06:08:58 | 000,040,016 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/07/11 01:14:38 | 000,295,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/07/11 01:14:28 | 000,024,272 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/07/11 01:14:28 | 000,023,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2011/07/11 01:14:26 | 000,134,608 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2009/10/05 09:08:42 | 000,065,584 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ctxusbm.sys -- (ctxusbm)
DRV - [2008/08/11 12:41:00 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2005/03/04 02:40:58 | 000,243,200 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2005/03/03 14:41:20 | 000,011,776 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
DRV - [2004/11/17 06:05:38 | 002,297,664 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/03 17:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/07/17 20:58:20 | 000,036,992 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SISAGPX.sys -- (SISAGP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
IE - HKLM\..\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}: "URL" = http://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q={searchTerms}&crm=1


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://encrypted.google.com/
IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={E8F0ED9D-DD26-4DFA-8F61-019A50FEA5DD}&mid=8c5f7c80478b47d69709d15cb406d42b-af1ffedc1e63af8a5e4c9b0cb243349fa28e2f3f&lang=en&ds=AVG&pr=fr&d=2011-10-10 10:42:59&v=8.0.0.34&sap=dsp&q={searchTerms}
IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://search.avg.com/route/?d=4b3d2cf0&i=23&tp=chrome&q={searchTerms}&lng={language}&ychte=us&nt=1
IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=F5FFAD6B-58F2-4BD3-864C-7D8CD81F49D3&apn_sauid=B4396621-ACB3-4BCD-B7DC-1E8460871B93
IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/02/16 16:58:02 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/03/18 10:31:36 | 000,002,064 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 192.168.1.200 server
O1 - Hosts: 74.50.127.5 www.google.com
O1 - Hosts: 74.50.127.5 google.com
O1 - Hosts: 74.50.127.5 google.com.au
O1 - Hosts: 74.50.127.5 www.google.com.au
O1 - Hosts: 74.50.127.5 google.be
O1 - Hosts: 74.50.127.5 www.google.be
O1 - Hosts: 74.50.127.5 google.com.br
O1 - Hosts: 74.50.127.5 www.google.com.br
O1 - Hosts: 74.50.127.5 google.ca
O1 - Hosts: 74.50.127.5 www.google.ca
O1 - Hosts: 74.50.127.5 google.ch
O1 - Hosts: 74.50.127.5 www.google.ch
O1 - Hosts: 74.50.127.5 google.de
O1 - Hosts: 74.50.127.5 www.google.de
O1 - Hosts: 74.50.127.5 google.dk
O1 - Hosts: 74.50.127.5 www.google.dk
O1 - Hosts: 74.50.127.5 google.fr
O1 - Hosts: 74.50.127.5 www.google.fr
O1 - Hosts: 74.50.127.5 google.ie
O1 - Hosts: 74.50.127.5 www.google.ie
O1 - Hosts: 74.50.127.5 google.it
O1 - Hosts: 74.50.127.5 www.google.it
O1 - Hosts: 74.50.127.5 google.co.jp
O1 - Hosts: 24 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [SiSPower] C:\WINDOWS\System32\SiSPower.dll (Silicon Integrated Systems Corporation)
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe (Silicon Integrated Systems Corp.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..Trusted Domains: bethesdahealthcare.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..Trusted Domains: bethesdahealthcare.com ([bcsg2] https in Trusted sites)
O16 - DPF: {36F4234C-854C-48DD-90F1-708FA0F19562} http://pyramisweb.bethesdahealthcare.com/PyramisUI/downloads/PyramHelp.CAB (PyramHelp.cHelp)
O16 - DPF: {4912ED81-BD9F-485E-86CA-BD62EC957435} https://ecospda.bethesdahealthcare.com/SOARIANWEBPROD2_020551029_M0K0_p_htm_28//sframe/IETools.cab (Soarian Frame Tools for Internet Explorer)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1318263123862 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {A7B17C34-D894-11D3-AE37-0050DA39FE5C} https://magicweb.bethesdahealthcare.com/magicweb/cabs/WebClientInstall.cab (WebClientInstall Class)
O16 - DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} https://techinline.net/Client/TIClient.cab (TIClientControl Object)
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} https://pacs.floridaopenimaging.com/plugins/jre/1_4/amicasjreinstaller_1_4_silent.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab (Java Plug-in 1.5.0_08)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {FFA315A3-20D3-11CF-8FDD-943611C10000} https://netaccess.bethesdahealthcare.com/NTAPSMS-NTAP-HTM/webPrint.cab (Ter Control)
O16 - DPF: MIW Deployment https://64.135.121.50/downloads/MIWDeploy.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PSBOYNTON.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D33FCFC5-C20A-4187-9630-34890668D0D4}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/11 14:06:13 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax ()
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll ()

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/03/07 16:26:33 | 000,584,704 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\OTL.exe
[2012/03/07 09:42:33 | 004,428,654 | R--- | C] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\your_name.exe
[2012/03/07 09:22:02 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/03/07 08:58:18 | 000,000,000 | ---D | C] -- C:\found.000
[2012/03/07 04:03:43 | 000,000,000 | ---D | C] -- C:\caa6c23f234c07a82a4f7e
[2012/03/06 16:46:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2012/03/06 16:31:53 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/03/06 16:26:46 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/03/06 16:26:46 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/03/06 16:26:46 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/03/06 16:26:46 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/03/06 16:26:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/03/06 16:26:31 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/03/06 16:24:02 | 004,428,059 | R--- | C] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\ComboFix.exe
[2012/03/02 16:19:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\RK_Quarantine
[2012/03/02 16:05:15 | 004,730,880 | ---- | C] (AVAST Software) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\aswMBR.exe
[2012/02/29 08:50:05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\ws1.PSBOYNTON\My Documents\My Videos
[2012/02/29 08:50:05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\ws1.PSBOYNTON\Start Menu\Programs\Administrative Tools
[2012/02/29 08:22:28 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\dds.scr
[2012/02/27 09:01:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\AVG
[2012/02/27 08:59:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG PC Tuneup 2011
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/07 16:27:12 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\OTL.exe
[2012/03/07 12:15:40 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_PSBOYNTON_ws1.job
[2012/03/07 09:43:08 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\rkill.com
[2012/03/07 09:42:46 | 004,428,654 | R--- | M] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\your_name.exe
[2012/03/07 09:36:21 | 000,000,364 | ---- | M] () -- C:\WINDOWS\tasks\AVG PC Tuneup Integrator Start On ws1 Logon.job
[2012/03/07 09:35:32 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/07 09:32:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/07 09:09:22 | 000,441,544 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/03/07 09:09:22 | 000,071,480 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/03/07 09:00:01 | 000,245,512 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/07 04:02:11 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/07 03:08:09 | 002,004,257 | ---- | M] () -- C:\WINDOWS\iis6.BAK
[2012/03/06 16:31:58 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/03/06 16:26:16 | 004,428,059 | R--- | M] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\ComboFix.exe
[2012/03/05 09:40:04 | 000,000,257 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\Iron Mountain Connect Login.url
[2012/03/02 16:19:14 | 001,339,904 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\RogueKiller.exe
[2012/03/02 16:05:20 | 004,730,880 | ---- | M] (AVAST Software) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\aswMBR.exe
[2012/02/29 08:22:54 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/29 08:22:31 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\dds.scr
[2012/02/29 08:22:12 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\feym0l94.exe
[2012/02/27 08:59:56 | 000,000,813 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\Microsoft\Internet Explorer\Quick Launch\AVG PC Tuneup 2011.lnk
[2012/02/27 08:59:56 | 000,000,795 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\AVG PC Tuneup 2011.lnk
[2012/02/24 08:45:02 | 089,952,282 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/02/23 15:04:06 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2012/02/22 18:14:27 | 000,252,226 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2012/02/16 16:58:02 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 2012.lnk
[2012/02/16 16:31:42 | 000,620,460 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavifw.avm
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/07 09:43:01 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\rkill.com
[2012/03/06 16:53:25 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/03/06 16:53:25 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/03/06 16:31:57 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/03/06 16:31:55 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/03/06 16:26:46 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/03/06 16:26:46 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/03/06 16:26:46 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/03/06 16:26:46 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/03/06 16:26:46 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/03/02 16:18:41 | 001,339,904 | ---- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\RogueKiller.exe
[2012/02/29 08:22:54 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/29 08:22:09 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\feym0l94.exe
[2012/02/27 09:00:20 | 000,000,364 | ---- | C] () -- C:\WINDOWS\tasks\AVG PC Tuneup Integrator Start On ws1 Logon.job
[2012/02/27 08:59:56 | 000,000,813 | ---- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\Microsoft\Internet Explorer\Quick Launch\AVG PC Tuneup 2011.lnk
[2012/02/27 08:59:56 | 000,000,795 | ---- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\AVG PC Tuneup 2011.lnk
[2012/02/16 16:52:54 | 000,000,392 | -H-- | C] () -- C:\WINDOWS\tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_PSBOYNTON_ws1.job
[2011/07/29 08:00:54 | 000,001,348 | -HS- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Local Settings\Application Data\4jt08j3453lv6eerv3ryh58wlpwkbx274umkyc5s2batk27
[2011/07/29 08:00:54 | 000,001,348 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4jt08j3453lv6eerv3ryh58wlpwkbx274umkyc5s2batk27
[2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\yroi.exe
[2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ymbp.exe
[2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\fjpr.exe
[2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\edod.exe
[2010/05/20 09:26:49 | 000,081,920 | ---- | C] () -- C:\WINDOWS\OEMQuery.exe

========== LOP Check ==========

[2011/05/02 10:50:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ICAClient
[2011/10/10 11:10:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.PSBOYNTON\Application Data\AVG Secure Search
[2011/10/10 11:07:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.PSBOYNTON\Application Data\ICAClient
[2011/10/10 12:04:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ask
[2011/12/06 15:12:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2010/02/23 14:55:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2011/03/17 13:51:22 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\BMLOHDMPAP
[2010/09/10 12:22:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2011/03/18 10:56:53 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/02/16 16:29:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2011/11/21 13:03:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lytec
[2011/12/06 14:44:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McKesson
[2012/02/24 08:45:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/11/21 16:38:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\TightVNC
[2010/07/08 11:06:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1\Application Data\AMICAS
[2010/09/10 12:47:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1\Application Data\ICAClient
[2012/02/27 09:03:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\AVG
[2011/12/06 15:02:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\AVG2012
[2011/05/02 14:08:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\ICAClient
[2011/12/07 15:58:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\ntr
[2012/03/07 09:36:21 | 000,000,364 | ---- | M] () -- C:\WINDOWS\Tasks\AVG PC Tuneup Integrator Start On ws1 Logon.job
[2012/03/07 12:15:40 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\Tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_PSBOYNTON_ws1.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2010/02/15 10:09:50 | 000,001,024 | ---- | M] () -- C:\.rnd
[2007/04/11 14:06:13 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2012/02/23 15:04:06 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2012/03/06 16:31:58 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2012/03/07 10:02:29 | 000,011,888 | ---- | M] () -- C:\ComboFix.txt
[2007/04/11 14:06:13 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2007/04/11 14:06:13 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2011/03/17 14:44:13 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2007/04/11 14:06:13 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2006/02/28 07:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2011/11/17 07:43:37 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2012/03/07 09:32:31 | 1560,281,088 | -HS- | M] () -- C:\pagefile.sys
[2009/03/19 13:09:59 | 000,019,538 | ---- | M] () -- C:\setup.log

< %systemroot%\Fonts\*.com >
[2006/04/18 14:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 13:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 14:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 13:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2007/04/11 14:05:50 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2006/01/30 09:00:00 | 000,049,152 | ---- | M] (Zenographics, Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\IMFPRINT.DLL
[2011/12/20 09:09:15 | 000,052,096 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\LMIproc.dll
[2003/06/18 16:31:48 | 000,018,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
[2008/07/06 05:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2007/04/11 21:39:15 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2007/04/11 21:39:14 | 000,659,456 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2007/04/11 21:39:14 | 000,884,736 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2011/11/17 08:04:03 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2011/05/02 10:54:32 | 000,000,060 | -HS- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2011/05/02 10:54:32 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2012/03/02 16:05:20 | 004,730,880 | ---- | M] (AVAST Software) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\aswMBR.exe
[2012/03/06 16:26:16 | 004,428,059 | R--- | M] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\ComboFix.exe
[2012/02/29 08:22:12 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\feym0l94.exe
[2012/03/07 16:27:12 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\OTL.exe
[2012/03/02 16:19:14 | 001,339,904 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\RogueKiller.exe
[2012/03/07 09:42:46 | 004,428,654 | R--- | M] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\your_name.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\tasks\*.* >
[2012/03/07 09:36:21 | 000,000,364 | ---- | M] () -- C:\WINDOWS\tasks\AVG PC Tuneup Integrator Start On ws1 Logon.job
[2006/02/28 07:00:00 | 000,000,065 | RH-- | M] () -- C:\WINDOWS\tasks\desktop.ini
[2012/03/07 10:02:29 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2012/03/07 12:15:40 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_PSBOYNTON_ws1.job

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2011/05/02 10:54:32 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Favorites\Desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >
[2011/05/02 10:52:59 | 000,009,338 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol

< %systemroot%\system32\drivers\*.rmv >
 
< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2011/11/17 06:10:26 | 000,000,067 | -HS- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Cookies\desktop.ini
[2012/03/07 16:25:44 | 000,212,992 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2007/06/26 21:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >
[2008/04/14 05:41:52 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
[2004/08/04 00:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
[2004/08/04 00:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
[2008/05/02 09:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
[2008/04/13 23:00:30 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
[2008/04/14 05:42:30 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
[2007/04/02 23:37:24 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
[2007/04/02 23:37:24 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
[2007/04/02 23:37:26 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
[2004/08/04 00:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
[2004/08/04 00:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


< >

< End of report >
-----------------------------------------------

OTL Extras logfile created on: 3/7/2012 4:27:38 PM - Run 1
OTL by OldTimer - Version 3.2.35.1 Folder = C:\Documents and Settings\ws1.PSBOYNTON\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

991.23 Mb Total Physical Memory | 508.86 Mb Available Physical Memory | 51.34% Memory free
2.33 Gb Paging File | 1.94 Gb Available in Paging File | 83.09% Paging File free
Paging file location(s): C:\pagefile.sys 1488 2976 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 58.58 Gb Free Space | 78.63% Space Free | Partition Type: NTFS

Computer Name: WS101 | User Name: ws1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications]
"Enabled" = 1
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts]
"Enabled" = 1
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List]
"135:TCP:*:Enabled:Offer Remote Assistance - Port" = 135:TCP:*:Enabled:Offer Remote Assistance - Port

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint]
"Enabled" = 1
"RemoteAddresses" = LocalSubnet

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop]
"Enabled" = 1
"RemoteAddresses" = *

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications]
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts]
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:mad:xpsp2res.dll,-22009
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Lytec 2011\Lytec.exe" = C:\Program Files\Lytec 2011\Lytec.exe:*:Enabled:Lytec -- (McKesson)
"C:\Program Files\Simego\SQL Admin Studio\Simego.SQLTools.Explorer.exe" = C:\Program Files\Simego\SQL Admin Studio\Simego.SQLTools.Explorer.exe:*:Enabled:SQL Admin Studio -- (Simego)
"C:\Program Files\AVG\AVG2012\avgmfapx.exe" = C:\Program Files\AVG\AVG2012\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgnsx.exe" = C:\Program Files\AVG\AVG2012\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgdiagex.exe" = C:\Program Files\AVG\AVG2012\avgdiagex.exe:*:Enabled:AVG Diagnostics 2012 -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgemcx.exe" = C:\Program Files\AVG\AVG2012\avgemcx.exe:*:Enabled:personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{023D64D7-E7B4-47C7-BE6E-B7C2E8960D08}" = Citrix online plug-in (Web)
"{0360D8F0-626A-4E87-8A16-938BD0BEBCC5}" = 32 Bit HP CIO Components Installer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{23E5032B-56CA-4C19-A72E-B50161DB82CA}" = Shadow Copy Client
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{299120B9-CD21-43F6-87A5-95BD0673EE45}" = SQL Admin Studio
"{3248F0A8-6813-11D6-A77B-00B0D0150080}" = J2SE Runtime Environment 5.0 Update 8
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4EFC72DA-2314-4E5D-AC8E-1C954CDB8BBF}" = AVG 2012
"{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1" = AVG PC Tuneup
"{6F8EAC65-314D-4D86-9557-BC9312AACCB0}" = Citrix online plug-in (USB)
"{7148F0A8-6813-11D6-A77B-00B0D0142060}" = Java 2 Runtime Environment, SE v1.4.2_06
"{8144262B-25B4-44F6-8204-FCC8EF50179F}" = Citrix online plug-in (DV)
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3AE0EFB-C8C2-4AF5-9841-459DB1C138CF}" = Crystal Reports 10 Support Files
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.5
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{ca5da644-8de3-4323-b659-843b63272ba9}" = Revenue Management
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DC226AC9-0314-496C-BE6A-B6A132628466}" = SiSAGP driver
"{E7E84E23-C5C0-4B15-B13A-C63149E59C98}" = AVG 2012
"{EA74A293-3FAC-4D1B-AE3A-3BD47FADDC20}" = Citrix online plug-in (HDX)
"{ED01C034-09A6-4C4F-A7B5-A1B5ADBA4542}" = Lytec 2011 Professional
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F7B0E599-C114-4493-BC4D-D8FC7CBBABBB}" = 32 Bit HP CIO Components Installer
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"AsusUpdate" = AsusUpdate
"AVG" = AVG 2012
"CitrixOnlinePluginPackWeb" = Citrix online plug-in - web
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"SiS VGA Driver" = SiS VGA Utilities
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/21/2011 2:35:47 PM | Computer Name = WS101 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 11/21/2011 2:36:02 PM | Computer Name = WS101 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 11/21/2011 2:38:41 PM | Computer Name = WS101 | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The specified
domain either does not exist or could not be contacted. ). Group Policy processing
aborted.

Error - 11/21/2011 2:49:40 PM | Computer Name = WS101 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 11/21/2011 2:49:55 PM | Computer Name = WS101 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 11/21/2011 2:54:45 PM | Computer Name = WS101 | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The specified
domain either does not exist or could not be contacted. ). Group Policy processing
aborted.

Error - 11/21/2011 2:59:48 PM | Computer Name = WS101 | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The specified
domain either does not exist or could not be contacted. ). Group Policy processing
aborted.

Error - 11/21/2011 3:03:30 PM | Computer Name = WS101 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 11/21/2011 3:03:46 PM | Computer Name = WS101 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 11/21/2011 3:03:51 PM | Computer Name = WS101 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

[ System Events ]
Error - 3/7/2012 10:19:23 AM | Computer Name = WS101 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 3/7/2012 10:32:51 AM | Computer Name = WS101 | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable. Please
run the chkdsk utility on the volume C:.

Error - 3/7/2012 10:33:09 AM | Computer Name = WS101 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain PSBOYNTON due to the
following: %%1311. Make sure that the computer is connected to the network and try
again.
If the problem persists, please contact your domain administrator.

Error - 3/7/2012 10:33:21 AM | Computer Name = WS101 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 3/7/2012 10:33:23 AM | Computer Name = WS101 | Source = Service Control Manager | ID = 7000
Description = The ASInsHelp service failed to start due to the following error:
%%2

Error - 3/7/2012 10:33:23 AM | Computer Name = WS101 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the LMIGuardianSvc service
to connect.

Error - 3/7/2012 10:33:23 AM | Computer Name = WS101 | Source = Service Control Manager | ID = 7000
Description = The LMIGuardianSvc service failed to start due to the following error:
%%1053

Error - 3/7/2012 10:33:23 AM | Computer Name = WS101 | Source = Service Control Manager | ID = 7000
Description = The LogMeIn Kernel Information Provider service failed to start due
to the following error: %%2

Error - 3/7/2012 10:33:36 AM | Computer Name = WS101 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 3/7/2012 10:48:52 AM | Computer Name = WS101 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 29 minutes. NtpClient has no source of accurate
time.


< End of report >


------------------------------------------
Thank you very much for your time and patience Broni!
 
Broni, OTL did not create the Extras.txt log file this time.

OTL logfile created on: 3/9/2012 4:58:29 PM - Run 2
OTL by OldTimer - Version 3.2.35.1 Folder = C:\Documents and Settings\ws1.PSBOYNTON\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

991.23 Mb Total Physical Memory | 642.23 Mb Available Physical Memory | 64.79% Memory free
2.33 Gb Paging File | 2.11 Gb Available in Paging File | 90.42% Paging File free
Paging file location(s): C:\pagefile.sys 1488 2976 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 58.77 Gb Free Space | 78.89% Space Free | Partition Type: NTFS

Computer Name: WS101 | User Name: ws1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/07 16:27:12 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\OTL.exe
PRC - [2012/01/24 17:24:26 | 005,781,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgmfapx.exe
PRC - [2012/01/24 17:24:26 | 002,416,480 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2011/11/28 01:19:04 | 001,229,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
PRC - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
PRC - [2011/10/10 06:23:34 | 000,973,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgemcx.exe
PRC - [2011/09/08 20:53:26 | 000,743,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2011/08/15 06:21:40 | 000,337,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2010/03/10 23:22:04 | 000,599,408 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\wfcrun32.exe
PRC - [2010/03/10 23:21:16 | 000,300,400 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\concentr.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/11/15 05:20:20 | 000,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (B-Service)
SRV - [2011/12/20 09:09:14 | 000,374,152 | ---- | M] (LogMeIn, Inc.) [Auto | Stopped] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | Auto | Stopped] -- -- (LMIInfo)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (catchme)
DRV - File not found [Kernel | Auto | Stopped] -- -- (ASInsHelp)
DRV - [2011/12/20 09:09:15 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2011/10/07 06:23:48 | 000,230,608 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2011/10/04 06:21:42 | 000,016,720 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/09/13 06:30:10 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/08/08 06:08:58 | 000,040,016 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/07/11 01:14:38 | 000,295,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/07/11 01:14:28 | 000,024,272 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/07/11 01:14:28 | 000,023,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2011/07/11 01:14:26 | 000,134,608 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2009/10/05 09:08:42 | 000,065,584 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ctxusbm.sys -- (ctxusbm)
DRV - [2008/08/11 12:41:00 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2005/03/04 02:40:58 | 000,243,200 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2005/03/03 14:41:20 | 000,011,776 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
DRV - [2004/11/17 06:05:38 | 002,297,664 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/03 17:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/07/17 20:58:20 | 000,036,992 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SISAGPX.sys -- (SISAGP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
IE - HKLM\..\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}: "URL" = http://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q={searchTerms}&crm=1


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233}
IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={20A950D9-7605-4611-905F-7251B5DD4C4D}&mid=8c5f7c80478b47d69709d15cb406d42b-af1ffedc1e63af8a5e4c9b0cb243349fa28e2f3f&lang=en&ds=AVG&pr=fr&d=&v=&sap=dsp&q={searchTerms}
IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://search.avg.com/route/?d=4b3d2cf0&i=23&tp=chrome&q={searchTerms}&lng={language}&ychte=us&nt=1
IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=F5FFAD6B-58F2-4BD3-864C-7D8CD81F49D3&apn_sauid=B4396621-ACB3-4BCD-B7DC-1E8460871B93
IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/03/09 16:54:12 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/12/22 16:11:00 | 000,000,732 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [SiSPower] C:\WINDOWS\System32\SiSPower.dll (Silicon Integrated Systems Corporation)
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe (Silicon Integrated Systems Corp.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..Trusted Domains: bethesdahealthcare.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..Trusted Domains: bethesdahealthcare.com ([bcsg2] https in Trusted sites)
O16 - DPF: {36F4234C-854C-48DD-90F1-708FA0F19562} http://pyramisweb.bethesdahealthcare.com/PyramisUI/downloads/PyramHelp.CAB (PyramHelp.cHelp)
O16 - DPF: {4912ED81-BD9F-485E-86CA-BD62EC957435} https://ecospda.bethesdahealthcare.com/SOARIANWEBPROD2_020551029_M0K0_p_htm_28//sframe/IETools.cab (Soarian Frame Tools for Internet Explorer)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1318263123862 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {A7B17C34-D894-11D3-AE37-0050DA39FE5C} https://magicweb.bethesdahealthcare.com/magicweb/cabs/WebClientInstall.cab (WebClientInstall Class)
O16 - DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} https://techinline.net/Client/TIClient.cab (TIClientControl Object)
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} https://pacs.floridaopenimaging.com/plugins/jre/1_4/amicasjreinstaller_1_4_silent.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab (Java Plug-in 1.5.0_08)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {FFA315A3-20D3-11CF-8FDD-943611C10000} https://netaccess.bethesdahealthcare.com/NTAPSMS-NTAP-HTM/webPrint.cab (Ter Control)
O16 - DPF: MIW Deployment https://64.135.121.50/downloads/MIWDeploy.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PSBOYNTON.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D33FCFC5-C20A-4187-9630-34890668D0D4}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/11 14:06:13 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/03/09 16:58:23 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/03/09 16:56:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\AVG2012
[2012/03/09 16:54:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG 2012
[2012/03/08 09:10:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/03/07 16:26:33 | 000,584,704 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\OTL.exe
[2012/03/07 09:42:33 | 004,428,654 | R--- | C] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\your_name.exe
[2012/03/07 09:22:02 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/03/07 08:58:18 | 000,000,000 | ---D | C] -- C:\found.000
[2012/03/07 04:03:43 | 000,000,000 | ---D | C] -- C:\caa6c23f234c07a82a4f7e
[2012/03/06 16:46:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2012/03/06 16:31:53 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/03/06 16:26:46 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/03/06 16:26:46 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/03/06 16:26:46 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/03/06 16:26:46 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/03/06 16:26:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/03/06 16:26:31 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/03/06 16:24:02 | 004,428,059 | R--- | C] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\ComboFix.exe
[2012/03/02 16:19:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\RK_Quarantine
[2012/03/02 16:05:15 | 004,730,880 | ---- | C] (AVAST Software) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\aswMBR.exe
[2012/02/29 08:50:05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\ws1.PSBOYNTON\My Documents\My Videos
[2012/02/29 08:50:05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\ws1.PSBOYNTON\Start Menu\Programs\Administrative Tools
[2012/02/29 08:22:28 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\dds.scr
[2012/02/27 09:01:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\AVG
[2012/02/27 08:59:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG PC Tuneup 2011
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/09 17:00:46 | 058,794,243 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/03/09 16:54:12 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 2012.lnk
[2012/03/09 16:47:18 | 000,000,364 | ---- | M] () -- C:\WINDOWS\tasks\AVG PC Tuneup Integrator Start On ws1 Logon.job
[2012/03/09 16:46:28 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/09 16:43:13 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/09 12:14:47 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_PSBOYNTON_ws1.job
[2012/03/08 14:25:31 | 000,000,257 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\Iron Mountain Connect Login.url
[2012/03/08 03:04:17 | 000,441,546 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/03/08 03:04:17 | 000,071,482 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/03/07 16:27:12 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\OTL.exe
[2012/03/07 09:43:08 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\rkill.com
[2012/03/07 09:42:46 | 004,428,654 | R--- | M] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\your_name.exe
[2012/03/07 09:00:01 | 000,245,512 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/07 04:03:23 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/07 03:08:09 | 002,004,257 | ---- | M] () -- C:\WINDOWS\iis6.BAK
[2012/03/06 16:31:58 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/03/06 16:26:16 | 004,428,059 | R--- | M] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\ComboFix.exe
[2012/03/02 16:19:14 | 001,339,904 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\RogueKiller.exe
[2012/03/02 16:05:20 | 004,730,880 | ---- | M] (AVAST Software) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\aswMBR.exe
[2012/02/29 08:22:54 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/29 08:22:31 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\dds.scr
[2012/02/29 08:22:12 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\feym0l94.exe
[2012/02/27 08:59:56 | 000,000,813 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\Microsoft\Internet Explorer\Quick Launch\AVG PC Tuneup 2011.lnk
[2012/02/27 08:59:56 | 000,000,795 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\AVG PC Tuneup 2011.lnk
[2012/02/23 15:04:06 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2012/02/16 16:31:42 | 000,620,460 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavifw.avm
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/09 16:54:12 | 000,000,702 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG 2012.lnk
[2012/03/07 09:43:01 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\rkill.com
[2012/03/06 16:53:25 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/03/06 16:53:25 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/03/06 16:31:57 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/03/06 16:31:55 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/03/06 16:26:46 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/03/06 16:26:46 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/03/06 16:26:46 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/03/06 16:26:46 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/03/06 16:26:46 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/03/02 16:18:41 | 001,339,904 | ---- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\RogueKiller.exe
[2012/02/29 08:22:54 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/29 08:22:09 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\feym0l94.exe
[2012/02/27 09:00:20 | 000,000,364 | ---- | C] () -- C:\WINDOWS\tasks\AVG PC Tuneup Integrator Start On ws1 Logon.job
[2012/02/27 08:59:56 | 000,000,813 | ---- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\Microsoft\Internet Explorer\Quick Launch\AVG PC Tuneup 2011.lnk
[2012/02/27 08:59:56 | 000,000,795 | ---- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\AVG PC Tuneup 2011.lnk
[2012/02/16 16:52:54 | 000,000,392 | -H-- | C] () -- C:\WINDOWS\tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_PSBOYNTON_ws1.job
[2011/07/29 08:00:54 | 000,001,348 | -HS- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Local Settings\Application Data\4jt08j3453lv6eerv3ryh58wlpwkbx274umkyc5s2batk27
[2011/07/29 08:00:54 | 000,001,348 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4jt08j3453lv6eerv3ryh58wlpwkbx274umkyc5s2batk27
[2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\yroi.exe
[2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ymbp.exe
[2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\fjpr.exe
[2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\edod.exe
[2010/05/20 09:26:49 | 000,081,920 | ---- | C] () -- C:\WINDOWS\OEMQuery.exe

========== LOP Check ==========

[2011/05/02 10:50:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ICAClient
[2011/10/10 11:10:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.PSBOYNTON\Application Data\AVG Secure Search
[2011/10/10 11:07:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.PSBOYNTON\Application Data\ICAClient
[2011/10/10 12:04:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ask
[2012/03/09 17:07:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2010/02/23 14:55:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2011/03/17 13:51:22 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\BMLOHDMPAP
[2010/09/10 12:22:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2011/03/18 10:56:53 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/02/16 16:29:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2011/11/21 13:03:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lytec
[2011/12/06 14:44:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McKesson
[2012/03/09 17:01:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2012/03/09 16:47:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/11/21 16:38:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\TightVNC
[2010/07/08 11:06:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1\Application Data\AMICAS
[2010/09/10 12:47:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1\Application Data\ICAClient
[2012/02/27 09:03:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\AVG
[2012/03/09 16:56:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\AVG2012
[2011/05/02 14:08:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\ICAClient
[2011/12/07 15:58:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\ntr
[2012/03/09 16:47:18 | 000,000,364 | ---- | M] () -- C:\WINDOWS\Tasks\AVG PC Tuneup Integrator Start On ws1 Logon.job
[2012/03/09 12:14:47 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\Tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_PSBOYNTON_ws1.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2010/02/15 10:09:50 | 000,001,024 | ---- | M] () -- C:\.rnd
[2007/04/11 14:06:13 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2012/02/23 15:04:06 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2012/03/06 16:31:58 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2012/03/07 10:02:29 | 000,011,888 | ---- | M] () -- C:\ComboFix.txt
[2007/04/11 14:06:13 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2007/04/11 14:06:13 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2011/03/17 14:44:13 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2007/04/11 14:06:13 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2006/02/28 07:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2011/11/17 07:43:37 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2012/03/09 16:43:10 | 1560,281,088 | -HS- | M] () -- C:\pagefile.sys
[2009/03/19 13:09:59 | 000,019,538 | ---- | M] () -- C:\setup.log

< %systemroot%\Fonts\*.com >
[2006/04/18 14:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 13:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 14:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 13:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2007/04/11 14:05:50 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2006/01/30 09:00:00 | 000,049,152 | ---- | M] (Zenographics, Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\IMFPRINT.DLL
[2011/12/20 09:09:15 | 000,052,096 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\LMIproc.dll
[2003/06/18 16:31:48 | 000,018,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
[2008/07/06 05:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2007/04/11 21:39:15 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2007/04/11 21:39:14 | 000,659,456 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2007/04/11 21:39:14 | 000,884,736 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2011/11/17 08:04:03 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2011/05/02 10:54:32 | 000,000,060 | -HS- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2011/05/02 10:54:32 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2012/03/02 16:05:20 | 004,730,880 | ---- | M] (AVAST Software) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\aswMBR.exe
[2012/03/06 16:26:16 | 004,428,059 | R--- | M] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\ComboFix.exe
[2012/02/29 08:22:12 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\feym0l94.exe
[2012/03/07 16:27:12 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\OTL.exe
[2012/03/02 16:19:14 | 001,339,904 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\RogueKiller.exe
[2012/03/07 09:42:46 | 004,428,654 | R--- | M] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\your_name.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\tasks\*.* >
[2012/03/09 16:47:18 | 000,000,364 | ---- | M] () -- C:\WINDOWS\tasks\AVG PC Tuneup Integrator Start On ws1 Logon.job
[2006/02/28 07:00:00 | 000,000,065 | RH-- | M] () -- C:\WINDOWS\tasks\desktop.ini
[2012/03/09 16:43:16 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2012/03/09 17:17:22 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_PSBOYNTON_ws1.job

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2011/05/02 10:54:32 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Favorites\Desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >
[2011/05/02 10:52:59 | 000,009,338 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2011/11/17 06:10:26 | 000,000,067 | -HS- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Cookies\desktop.ini
[2012/03/09 16:58:18 | 000,212,992 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2007/06/26 21:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >
[2008/04/14 05:41:52 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
[2004/08/04 00:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
[2004/08/04 00:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
[2008/05/02 09:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
[2008/04/13 23:00:30 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
[2008/04/14 05:42:30 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
[2007/04/02 23:37:24 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
[2007/04/02 23:37:24 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
[2007/04/02 23:37:26 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
[2004/08/04 00:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
[2004/08/04 00:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4

< End of report >
 
Still redirected?

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
SRV - File not found [On_Demand | Stopped] -- -- (B-Service)
IE - HKLM\..\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}: "URL" = http://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q={searchTerms}&crm=1
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=crm&q={searchTerms}&locale=en_US& apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=F5FFAD6B-58F2-4BD3-864C-7D8CD81F49D3&apn_sauid=B4396621-ACB3-4BCD-B7DC-1E8460871B93
O15 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..Trusted Domains: bethesdahealthcare.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..Trusted Domains: bethesdahealthcare.com ([bcsg2] https in Trusted sites)
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} https://pacs.floridaopenimaging.com/...1_4_silent.cab (Reg Error: Key error.)
O16 - DPF: MIW Deployment https://64.135.121.50/downloads/MIWDeploy.cab (Reg Error: Key error.)
[2011/07/29 08:00:54 | 000,001,348 | -HS- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Local Settings\Application Data\4jt08j3453lv6eerv3ryh58wlpwkbx274umkyc5s2batk27
[2011/07/29 08:00:54 | 000,001,348 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4jt08j3453lv6eerv3ryh58wlpwkbx274umkyc5s2batk27
[2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\yroi.exe
[2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ymbp.exe
[2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\fjpr.exe
[2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\edod.exe
[2011/10/10 12:04:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ask
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4


:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.
 
The redirect seems to be gone. Internet options are accessible again, and the windows security alert doesn't show the "best malware protection" as the antivirus program, also windows updates have been installing and I have been able to adjust the updates settings.

LOG:

All processes killed
========== OTL ==========
Service B-Service stopped successfully!
Service B-Service deleted successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF739809-1C6C-47C0-85B9-569DBB141420}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry key HKEY_USERS\S-1-5-21-3566315747-1333721964-492098383-1140\Software\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF739809-1C6C-47C0-85B9-569DBB141420}\ not found.
Registry key HKEY_USERS\S-1-5-21-3566315747-1333721964-492098383-1140\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bethesdahealthcare.com\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-3566315747-1333721964-492098383-1140\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bethesdahealthcare.com\bcsg2\ not found.
Starting removal of ActiveX control {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}
C:\WINDOWS\Downloaded Program Files\amicasjreinstaller_1_4_silent.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control MIW Deployment
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\MIW Deployment\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\MIW Deployment\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\MIW Deployment\ not found.
C:\Documents and Settings\ws1.PSBOYNTON\Local Settings\Application Data\4jt08j3453lv6eerv3ryh58wlpwkbx274umkyc5s2batk27 moved successfully.
C:\Documents and Settings\All Users\Application Data\4jt08j3453lv6eerv3ryh58wlpwkbx274umkyc5s2batk27 moved successfully.
C:\Documents and Settings\All Users\Application Data\yroi.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\ymbp.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\fjpr.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\edod.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\Ask\APN-Stub folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Ask folder moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Flash cache emptied: 348 bytes

User: Administrator.PSBOYNTON
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 706575 bytes
->Java cache emptied: 488 bytes
->Flash cache emptied: 456 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: newpc02
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Flash cache emptied: 524 bytes

User: ws1
->Temp folder emptied: 87437786 bytes
->Temporary Internet Files folder emptied: 52592010 bytes
->Java cache emptied: 62263080 bytes
->Flash cache emptied: 3155421 bytes

User: ws1.PSBOYNTON
->Temp folder emptied: 1713502 bytes
->Temporary Internet Files folder emptied: 44860925 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 2355 bytes

User: __sbs_netsetup__
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 4234508 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 25494 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 493706 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 4051254 bytes

Total Files Cleaned = 250.00 mb


[EMPTYJAVA]

User: Administrator

User: Administrator.PSBOYNTON
->Java cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: newpc02

User: ws1
->Java cache emptied: 0 bytes

User: ws1.PSBOYNTON
->Java cache emptied: 0 bytes

User: __sbs_netsetup__

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: Administrator.PSBOYNTON
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: newpc02
->Flash cache emptied: 0 bytes

User: ws1
->Flash cache emptied: 0 bytes

User: ws1.PSBOYNTON
->Flash cache emptied: 0 bytes

User: __sbs_netsetup__

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.35.1 log created on 03142012_082920

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
 
Good news :)

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


3. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


4. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
Logs:

Security Check:
Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG 2012
AVG PC Tuneup
AVG 2012
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
AVG PC Tuneup
Java(TM) 6 Update 31
Java 2 Runtime Environment, SE v1.4.2_06
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````

-------------------------------------------------------------
FSS:
Farbar Service Scanner Version: 01-03-2012
Ran by ws1 (administrator) on 18-03-2012 at 09:11:49
Running from "C:\Documents and Settings\ws1.PSBOYNTON\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Avgtdix(15) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x100000000500000001000000020000000300000004000000560000000A0000000B0000000C0000000D0000000E0000000F00000006000000070000000800000009000000
IpSec Tag value is correct.

**** End of log ****

-----------------------------------------------------------

ESET:
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\d9b4a3\276.mof.vir Win32/RogueAV.A trojan cleaned by deleting - quarantined
 
Uninstall Java 2 Runtime Environment, SE v1.4.2_06

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code: 
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.
 
Here's the OTL log, I'm running the rest of the clean-up as instructed and will report back tomorrow about any issues. Thanks Broni!

OTL Log:

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Administrator.PSBOYNTON
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: newpc02
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: ws1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: ws1.PSBOYNTON
->Temp folder emptied: 44172 bytes
->Temporary Internet Files folder emptied: 11990360 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

User: __sbs_netsetup__
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 893 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 12.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: Administrator.PSBOYNTON
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: newpc02
->Flash cache emptied: 0 bytes

User: ws1
->Flash cache emptied: 0 bytes

User: ws1.PSBOYNTON
->Flash cache emptied: 0 bytes

User: __sbs_netsetup__

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: Administrator

User: Administrator.PSBOYNTON
->Java cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: newpc02

User: ws1
->Java cache emptied: 0 bytes

User: ws1.PSBOYNTON
->Java cache emptied: 0 bytes

User: __sbs_netsetup__

Total Java Files Cleaned = 0.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.35.1 log created on 03182012_191019

Files\Folders moved on Reboot...
C:\Documents and Settings\ws1.PSBOYNTON\Local Settings\Temporary Internet Files\Content.IE5\F3VSL3PW\partner[1].htm moved successfully.
C:\Documents and Settings\ws1.PSBOYNTON\Local Settings\Temporary Internet Files\Content.IE5\F3VSL3PW\showthread[1].htm moved successfully.
C:\Documents and Settings\ws1.PSBOYNTON\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

Registry entries deleted on Reboot...
 
Thank you for the help Broni. The issue did seem resolved. However, not long after clean-up (1-2 days after, only other things done were defragging/CCleaner and uninstalled a couple other old programs), the computer started throwing C:\$mft errors and eventually stopped booting. Not sure what happened if it was related to the original post or not. Either way the computer is scrap. Wish if it'd planned on dying all along it'd have done it before we both spent all that time on it. :(
 
You must log in or register to reply here.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
785
uber_beetle
uber_beetle
A
Microsoft breaks users' PCs again with latest Windows 11 update
Replies
19
Views
380
trparky
T
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A

Latest posts

Back