Redirect and update/virus scan blocking malware

Solved
By severedgein
Feb 29, 2012
  1. Hello again,

    Trying to clean up computers at work again, thankfully this bug hasn't spread across the network, and it seems pretty benign for the most part, but I'd appreciate your help getting it off so I can get AVG and Windows updates working properly again.

    Symptoms:
    It's completely blocking Microsoft updates; it's giving me a constant Microsoft Security Alert about "automatic updates are turned off" and cannot be enabled nor does going directly to the Microsoft update site work. Also, the virus protection is labeled as "Best Malware Protection" in the virus part of MS Sec. Alerts.

    It's blocking most of the features in AVG free 2012; all scans are missing, and won't run when using the scan features in the system tray icon, and updates are blocked/simply don't run.

    Lastly, the homepage for IE has been changed to "encrypted.google.com" and redirects after the 3rd or so page opened to some Yellowpages.com site; also the ability to adjust settings in IE has been completely blocked/greyed out.

    Logs:
    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.29.03

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    ws1 :: WS101 [administrator]

    2/29/2012 8:24:13 AM
    mbam-log-2012-02-29 (08-24-13).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 268702
    Time elapsed: 14 minute(s), 4 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
    -------------------------------------------------------------------------------
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-02-29 08:47:02
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e WDC_WD800JD-75MSA3 rev.10.01E04
    Running: feym0l94.exe; Driver: C:\DOCUME~1\WS1~1.PSB\LOCALS~1\Temp\pxtdqpog.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----

    ----------------------------------------------------------------------------------
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by ws1 at 8:50:05 on 2012-02-29
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.617 [GMT -5:00]
    .
    AV: Best Malware Protection *Enabled/Updated* {22DD0267-B573-4DF4-B355-112ED9B117EE}
    FW: Best Malware Protection *Enabled*
    FW: AVG Firewall *Disabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Citrix\ICA Client\concentr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Citrix\ICA Client\wfcrun32.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Java\jre6\bin\jqs.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page =
    uStart Page = hxxp://encrypted.google.com/
    uDefault_Page_URL = hxxp://companyweb
    uSearch Bar =
    mSearchAssistant =
    mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=60252
    mURLSearchHooks: H - No File
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: Search Assistant: {f0626a63-410b-45e2-99a1-3f2475b2d695} - c:\program files\sgpsa\BHO.dll
    {e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
    mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    Trusted Zone: bethesdahealthcare.com
    Trusted Zone: bethesdahealthcare.com\bcsg2
    DPF: MIW Deployment - hxxps://64.135.121.50/downloads/MIWDeploy.cab
    DPF: {36F4234C-854C-48DD-90F1-708FA0F19562} - hxxp://pyramisweb.bethesdahealthcare.com/PyramisUI/downloads/PyramHelp.CAB
    DPF: {4912ED81-BD9F-485E-86CA-BD62EC957435} - hxxps://ecospda.bethesdahealthcare.com/SOARIANWEBPROD2_020551029_M0K0_p_htm_26//sframe/IETools.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1318263123862
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {A7B17C34-D894-11D3-AE37-0050DA39FE5C} - hxxps://magicweb.bethesdahealthcare.com/magicweb/cabs/WebClientInstall.cab
    DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} - hxxps://techinline.net/Client/TIClient.cab
    DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxps://pacs.floridaopenimaging.com/plugins/jre/1_4/amicasjreinstaller_1_4_silent.cab
    DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {FFA315A3-20D3-11CF-8FDD-943611C10000} - hxxps://netaccess.bethesdahealthcare.com/NTAPSMS-NTAP-HTM/webPrint.cab
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{D33FCFC5-C20A-4187-9630-34890668D0D4} : DhcpNameServer = 192.168.1.254
    Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
    Notify: LMIinit - LMIinit.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    IFEO: image file execution options - svchost.exe
    Hosts: 192.168.1.200 server
    Hosts: 74.50.127.5 www.google.com
    Hosts: 74.50.127.5 google.com
    Hosts: 74.50.127.5 google.com.au
    Hosts: 74.50.127.5 www.google.com.au
    .
    Note: multiple HOSTS entries found. Please refer to Attach.txt
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
    R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-10-5 65584]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-2-15 47640]
    R2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\microsoft.net\framework\v1.1.4322\netfxupdate.exe [2007-1-15 73728]
    S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-27 374152]
    S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
    S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
    S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
    S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
    S3 B-Service;B-Service;c:\documents and settings\ws1.psboynton\local settings\temporary internet files\content.ie5\kper4tef\b-service.exe --> c:\documents and settings\ws1.psboynton\local settings\temporary internet files\content.ie5\kper4tef\B-Service.exe [?]
    S4 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
    S4 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
    S4 LMIRfsClientNP;LMIRfsClientNP; [x]
    .
    =============== Created Last 30 ================
    .
    2012-02-27 14:31:28 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-02-27 14:01:21 -------- d-----w- c:\documents and settings\ws1.psboynton\application data\AVG
    .
    ==================== Find3M ====================
    .
    2012-02-27 14:31:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-02-16 21:51:03 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-12-20 14:09:15 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2011-12-20 14:09:15 52096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
    2011-12-20 14:09:14 87424 ----a-w- c:\windows\system32\LMIinit.dll
    2011-12-20 14:09:14 30592 ----a-w- c:\windows\system32\LMIport.dll
    2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-06 19:07:52 3162632 ----a-w- c:\documents and settings\ws1.psboynton\application data\sm-b3142512904a73eaa37abe95da908c7e.exe
    .
    ============= FINISH: 8:50:49.23 ===============
    --------------------------------------------------------------------------------------

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/11/2007 3:08:30 PM
    System Uptime: 2/27/2012 9:25:34 AM (47 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | P5S800-VM
    Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | CPU 1 | 3192/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 74 GiB total, 29.766 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP451: 6/4/2008 12:35:35 PM - Installed AVG 8.0
    RP452: 6/4/2008 1:24:17 PM - Installed AVG 8.0
    .
    ==== Hosts File Hijack ======================
    .
    Hosts: 192.168.1.200 server
    Hosts: 74.50.127.5 www.google.com
    Hosts: 74.50.127.5 google.com
    Hosts: 74.50.127.5 google.com.au
    Hosts: 74.50.127.5 www.google.com.au
    Hosts: 74.50.127.5 google.be
    Hosts: 74.50.127.5 www.google.be
    Hosts: 74.50.127.5 google.com.br
    Hosts: 74.50.127.5 www.google.com.br
    Hosts: 74.50.127.5 google.ca
    Hosts: 74.50.127.5 www.google.ca
    Hosts: 74.50.127.5 google.ch
    Hosts: 74.50.127.5 www.google.ch
    Hosts: 74.50.127.5 google.de
    Hosts: 74.50.127.5 www.google.de
    Hosts: 74.50.127.5 google.dk
    Hosts: 74.50.127.5 www.google.dk
    Hosts: 74.50.127.5 google.fr
    Hosts: 74.50.127.5 www.google.fr
    Hosts: 74.50.127.5 google.ie
    Hosts: 74.50.127.5 www.google.ie
    Hosts: 74.50.127.5 google.it
    Hosts: 74.50.127.5 www.google.it
    Hosts: 74.50.127.5 google.co.jp
    Hosts: 74.50.127.5 www.google.co.jp
    Hosts: 74.50.127.5 google.nl
    Hosts: 74.50.127.5 www.google.nl
    Hosts: 74.50.127.5 google.no
    Hosts: 74.50.127.5 www.google.no
    Hosts: 74.50.127.5 google.co.nz
    Hosts: 74.50.127.5 www.google.co.nz
    Hosts: 74.50.127.5 google.pl
    Hosts: 74.50.127.5 www.google.pl
    Hosts: 74.50.127.5 google.se
    Hosts: 74.50.127.5 www.google.se
    Hosts: 74.50.127.5 google.co.uk
    Hosts: 74.50.127.5 www.google.co.uk
    Hosts: 74.50.127.5 google.co.za
    Hosts: 74.50.127.5 www.google.co.za
    Hosts: 74.50.127.5 www.google-analytics.com
    Hosts: 74.50.127.5 www.bing.com
    Hosts: 74.50.127.5 search.yahoo.com
    Hosts: 74.50.127.5 www.search.yahoo.com
    Hosts: 74.50.127.5 uk.search.yahoo.com
    Hosts: 74.50.127.5 ca.search.yahoo.com
    Hosts: 74.50.127.5 de.search.yahoo.com
    Hosts: 74.50.127.5 fr.search.yahoo.com
    Hosts: 74.50.127.5 au.search.yahoo.com
    .
    ==== Installed Programs ======================
    .
    32 Bit HP CIO Components Installer
    Adobe Flash Player 11 ActiveX
    Adobe Reader 8.1.5
    AsusUpdate
    AVG 2012
    AVG PC Tuneup
    CaptureCAM-PLAYER
    Citrix online plug-in - web
    Citrix online plug-in (DV)
    Citrix online plug-in (HDX)
    Citrix online plug-in (USB)
    Citrix online plug-in (Web)
    Crystal Reports 10 Support Files
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB942288-v3)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    J2SE Runtime Environment 5.0 Update 8
    Java 2 Runtime Environment, SE v1.4.2_06
    Java Auto Updater
    Java(TM) 6 Update 31
    Lytec 2011 Professional
    Malwarebytes Anti-Malware version 1.60.1.1000
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    MSXML 6 Service Pack 2 (KB973686)
    Realtek AC'97 Audio
    Revenue Management
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981349)
    Shadow Copy Client
    SiS VGA Utilities
    SiSAGP driver
    SQL Admin Studio
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    Windows Imaging Component
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    WinRAR archiver
    .
    ==== Event Viewer Messages From Past Week ========
    .
    2/27/2012 9:28:35 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
    2/23/2012 9:02:31 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LMIGuardianSvc service to connect.
    2/23/2012 9:02:31 AM, error: Service Control Manager [7000] - The LogMeIn Kernel Information Provider service failed to start due to the following error: The system cannot find the file specified.
    2/23/2012 9:02:31 AM, error: Service Control Manager [7000] - The LMIGuardianSvc service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    2/23/2012 9:02:31 AM, error: Service Control Manager [7000] - The ASInsHelp service failed to start due to the following error: The system cannot find the file specified.
    2/23/2012 9:02:26 AM, error: NETLOGON [5719] - No Domain Controller is available for domain PSBOYNTON due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
    .
    ==== End Of File ===========================

    THANK YOU!!! :grinthumb
  2. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =====================================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    =====================================================================

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Click on SCAN.
      [/b]
    • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
  3. severedgein

    severedgein Newcomer, in training Topic Starter Posts: 62

    Here are the logs:

    aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-02 16:05:21
    -----------------------------
    16:05:21.093 OS Version: Windows 5.1.2600 Service Pack 3
    16:05:21.093 Number of processors: 2 586 0x409
    16:05:21.093 ComputerName: WS101 UserName: ws1
    16:05:21.640 Initialize success
    16:08:01.687 AVAST engine defs: 12030201
    16:08:12.546 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
    16:08:12.546 Disk 0 Vendor: WDC_WD800JD-75MSA3 10.01E04 Size: 76293MB BusType: 3
    16:08:12.562 Disk 0 MBR read successfully
    16:08:12.562 Disk 0 MBR scan
    16:08:12.609 Disk 0 Windows XP default MBR code
    16:08:12.609 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76285 MB offset 63
    16:08:12.609 Disk 0 scanning sectors +156232125
    16:08:12.718 Disk 0 scanning C:\WINDOWS\system32\drivers
    16:08:28.109 Service scanning
    16:08:44.453 Modules scanning
    16:08:48.968 Disk 0 trace - called modules:
    16:08:49.000 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    16:08:49.000 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b1dab8]
    16:08:49.000 3 CLASSPNP.SYS[f789afd7] -> nt!IofCallDriver -> \Device\00000064[0x86b489e8]
    16:08:49.000 5 ACPI.sys[f7811620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x86b68940]
    16:08:49.656 AVAST engine scan C:\WINDOWS
    16:09:09.328 AVAST engine scan C:\WINDOWS\system32
    16:12:07.093 File: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_08eaa53a\System.Drawing.dll **HIDDEN**
    16:12:10.906 AVAST engine scan C:\WINDOWS\system32\drivers
    16:12:36.640 AVAST engine scan C:\Documents and Settings\ws1.PSBOYNTON
    16:15:59.546 AVAST engine scan C:\Documents and Settings\All Users
    16:17:42.296 Scan finished successfully
    16:17:58.843 Disk 0 MBR has been saved successfully to "\\Rsxp1\transcriptions\MBR.dat"
    16:17:58.843 The log file has been saved successfully to "\\Rsxp1\transcriptions\aswMBR.txt"


    -------------------------------------------------------------------------

    RogueKiller V7.2.1 [02/29/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User: ws1 [Admin rights]
    Mode: Scan -- Date: 03/02/2012 16:19:32

    ¤¤¤ Bad processes: 0 ¤¤¤

    ¤¤¤ Registry Entries: 1 ¤¤¤
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver: [LOADED] ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    127.0.0.1 localhost
    192.168.1.200 server
    74.50.127.5 www.google.com
    74.50.127.5 google.com
    74.50.127.5 google.com.au
    74.50.127.5 www.google.com.au
    74.50.127.5 google.be
    74.50.127.5 www.google.be
    74.50.127.5 google.com.br
    74.50.127.5 www.google.com.br
    74.50.127.5 google.ca
    74.50.127.5 www.google.ca
    74.50.127.5 google.ch
    74.50.127.5 www.google.ch
    74.50.127.5 google.de
    74.50.127.5 www.google.de
    74.50.127.5 google.dk
    74.50.127.5 www.google.dk
    74.50.127.5 google.fr
    74.50.127.5 www.google.fr
    [...]


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD800JD-75MSA3 +++++
    --- User ---
    [MBR] 183ede5eccbb09d77dd5816cdb825a43
    [BSP] fea7d0aec7c8225e513472eb3d9581a0 : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76285 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[1].txt >>
    RKreport[1].txt

    ---------------------------------------------------

    This is an office computer, so I won't be back to follow up on this until Monday, but I await your further instructions. Thank you for your help Broni!
  4. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  5. severedgein

    severedgein Newcomer, in training Topic Starter Posts: 62

    I ran combofix. However, my system restarted itself around step-26/27, then had to run chkdsk and subsequently didn't produce the log because it rebooted again after chkdsk. Upon restart automatic updates are now enabled, and the message in security alerts only shows that there is no anti-virus installed** instead of mentioning Best Malware Protection. I didn't check IE for the ability to adjust options or adjust the firewall settings (which I forgot to mention were also locked before).

    **(though AVG is installed and booted when the system restarted, which I promptly exited expecting Combofix to restart)

    Should I re-run Combofix so it (hopefully) produces a log? Or is there somewhere else I should search for a log that may have been produced the first time other than "C:\", My Documents, and the Desktop?
  6. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Please re-run Combofix.
  7. severedgein

    severedgein Newcomer, in training Topic Starter Posts: 62

    Discovered the problem why it was restarting, the CPU was overheating. I had to use the second "if Combofix won't run" method to get it to finish (after putting a desk fan next to the cabinet) because after the last restart Combo fix would not open the blue window after running the initial startup screen. Also, the redirects/blocked internet options were still present before Combofix did manage to run, Windows update was not re-blocked though.

    log:

    ComboFix 12-03-07.02 - ws1 03/07/2012 9:46.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.590 [GMT -5:00]
    Running from: c:\documents and settings\ws1.PSBOYNTON\Desktop\your_name.exe
    FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\d9b4a3
    c:\documents and settings\All Users\Application Data\d9b4a3\276.mof
    c:\documents and settings\All Users\Application Data\d9b4a3\BMP.ico
    c:\documents and settings\All Users\Application Data\d9b4a3\d9b4a342fb5d1675d500786ffb12f0df.ocx
    c:\documents and settings\All Users\Application Data\d9b4a3\fz6an7tm9q01u8zgi01kn6glxy2xvje7tm9q01u8z6sq01u8z6aw.dll
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\newpc02\WINDOWS
    c:\documents and settings\ws1.PSBOYNTON\Application Data\sm-b3142512904a73eaa37abe95da908c7e.exe
    c:\documents and settings\ws1.PSBOYNTON\Local Settings\Application Data\ejrp.exe
    c:\documents and settings\ws1.PSBOYNTON\Local Settings\Application Data\ojyd.exe
    c:\documents and settings\ws1.PSBOYNTON\Local Settings\Application Data\vqwj.exe
    c:\documents and settings\ws1.PSBOYNTON\Local Settings\Application Data\xpvs.exe
    C:\hosts
    c:\windows\iun6002.exe
    c:\windows\regedit.com
    c:\windows\regsvr32.exe
    c:\windows\system32\_000125_.tmp.dll
    c:\windows\system32\Cache
    c:\windows\system32\Cache\272512937d9e61a4.fb
    c:\windows\system32\Cache\287204568329e189.fb
    c:\windows\system32\Cache\28bc8f716fd76a47.fb
    c:\windows\system32\Cache\2c53092c95605355.fb
    c:\windows\system32\Cache\3917078cb68ec657.fb
    c:\windows\system32\Cache\590ba23ce359fd0c.fb
    c:\windows\system32\Cache\5955b5899b1b00b4.fb
    c:\windows\system32\Cache\610289e025a3ee9a.fb
    c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
    c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
    c:\windows\system32\Cache\ad10a52aff5e038d.fb
    c:\windows\system32\Cache\d201ef9910cd39de.fb
    c:\windows\system32\Cache\d2e94710a5708128.fb
    c:\windows\system32\Cache\d79b9dfe81484ec4.fb
    c:\windows\system32\SET198.tmp
    c:\windows\system32\SET19C.tmp
    c:\windows\system32\SET19D.tmp
    c:\windows\system32\SET1A4.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-07 to 2012-03-07 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-07 14:22 . 2012-03-07 14:36 -------- d-----w- C:\ComboFix
    2012-03-07 14:02 . 2012-03-07 14:02 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2012-03-07 13:58 . 2012-03-07 13:58 -------- d-----w- C:\found.000
    2012-03-07 09:03 . 2012-03-07 09:03 -------- d-----w- C:\caa6c23f234c07a82a4f7e
    2012-03-06 22:04 . 2011-07-15 13:29 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
    2012-03-06 22:04 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
    2012-03-06 22:02 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2012-03-06 22:02 . 2010-08-27 08:02 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
    2012-03-06 22:02 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
    2012-03-06 22:01 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
    2012-03-06 22:01 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
    2012-03-06 21:54 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
    2012-03-06 21:53 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
    2012-03-06 21:53 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
    2012-03-06 21:53 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
    2012-03-06 21:50 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
    2012-03-06 21:49 . 2010-08-16 08:45 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
    2012-02-27 14:31 . 2012-02-27 14:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-02-27 14:01 . 2012-02-27 14:03 -------- d-----w- c:\documents and settings\ws1.PSBOYNTON\Application Data\AVG
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-27 14:31 . 2011-10-10 17:04 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-02-16 21:51 . 2011-08-05 13:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-12 16:53 . 2006-02-28 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
    2011-12-20 14:09 . 2010-02-15 15:10 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2011-12-20 14:09 . 2010-02-15 15:10 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
    2011-12-20 14:09 . 2010-02-15 15:10 30592 ----a-w- c:\windows\system32\LMIport.dll
    2011-12-20 14:09 . 2010-02-15 15:09 87424 ----a-w- c:\windows\system32\LMIinit.dll
    2011-12-17 19:46 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-12-17 19:46 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-12-17 19:46 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-12-16 12:22 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-12-10 20:24 . 2010-02-22 18:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
    "SoundMan"="SOUNDMAN.EXE" [2004-11-15 77824]
    "SiSPower"="SiSPower.dll" [2005-03-03 49152]
    "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-03-11 300400]
    "AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2011-12-20 14:09 87424 ----a-w- c:\windows\system32\LMIinit.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_TRAY]
    2012-01-24 22:24 2416480 ----a-w- c:\program files\AVG\AVG2012\avgtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 10:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "avgwd"=2 (0x2)
    "AVGIDSAgent"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Lytec 2011\\Lytec.exe"=
    "c:\\Program Files\\Simego\\SQL Admin Studio\\Simego.SQLTools.Explorer.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 6:23 AM 230608]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
    R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [10/5/2009 9:08 AM 65584]
    S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/27/2010 8:20 AM 374152]
    S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
    S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
    S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
    S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 6:21 AM 16720]
    S3 B-Service;B-Service;c:\documents and settings\ws1.PSBOYNTON\Local Settings\Temporary Internet Files\Content.IE5\KPER4TEF\B-Service.exe --> c:\documents and settings\ws1.PSBOYNTON\Local Settings\Temporary Internet Files\Content.IE5\KPER4TEF\B-Service.exe [?]
    S4 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
    S4 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-03-07 c:\windows\Tasks\AVG PC Tuneup Integrator Start On ws1 Logon.job
    - c:\program files\AVG\AVG PC Tuneup\BoostSpeed.exe [2012-02-27 22:20]
    .
    2012-03-07 c:\windows\Tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_PSBOYNTON_ws1.job
    - c:\windows\system32\mobsync.exe [2006-02-28 10:42]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://encrypted.google.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: bethesdahealthcare.com
    Trusted Zone: bethesdahealthcare.com\bcsg2
    TCP: DhcpNameServer = 192.168.1.254
    DPF: MIW Deployment - hxxps://64.135.121.50/downloads/MIWDeploy.cab
    DPF: {36F4234C-854C-48DD-90F1-708FA0F19562} - hxxp://pyramisweb.bethesdahealthcare.com/PyramisUI/downloads/PyramHelp.CAB
    DPF: {4912ED81-BD9F-485E-86CA-BD62EC957435} - hxxps://ecospda.bethesdahealthcare.com/SOARIANWEBPROD2_020551029_M0K0_p_htm_26//sframe/IETools.cab
    DPF: {A7B17C34-D894-11D3-AE37-0050DA39FE5C} - hxxps://magicweb.bethesdahealthcare.com/magicweb/cabs/WebClientInstall.cab
    DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} - hxxps://techinline.net/Client/TIClient.cab
    DPF: {FFA315A3-20D3-11CF-8FDD-943611C10000} - hxxps://netaccess.bethesdahealthcare.com/NTAPSMS-NTAP-HTM/webPrint.cab
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
    MSConfigStartUp-Best Malware Protection - c:\documents and settings\All Users\Application Data\d9b4a3\BMd9b_2285.exe
    MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
    MSConfigStartUp-vProt - c:\program files\AVG Secure Search\vprot.exe
    AddRemove-CaptureCAM-PLAYER - c:\windows\iun6002.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-03-07 09:57
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(752)
    c:\windows\system32\LMIinit.dll
    .
    Completion time: 2012-03-07 10:02:28
    ComboFix-quarantined-files.txt 2012-03-07 15:02
    .
    Pre-Run: 62,731,247,616 bytes free
    Post-Run: 62,929,498,112 bytes free
    .
    - - End Of File - - 858DCE1C85DBBA207107E3F7BB82DC15
  8. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Did you take care of it?

    Combofix log looks good.
    Is the redirection gone?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\tasks\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  9. severedgein

    severedgein Newcomer, in training Topic Starter Posts: 62

    Redirects are still present after Combofix. CPU was only overheating when using Combofix, regular use on the computer has never caused that to my knowledge, but as a temp fix, yeah I fixed it.

    OTL logfile created on: 3/7/2012 4:27:38 PM - Run 1
    OTL by OldTimer - Version 3.2.35.1 Folder = C:\Documents and Settings\ws1.PSBOYNTON\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    991.23 Mb Total Physical Memory | 508.86 Mb Available Physical Memory | 51.34% Memory free
    2.33 Gb Paging File | 1.94 Gb Available in Paging File | 83.09% Paging File free
    Paging file location(s): C:\pagefile.sys 1488 2976 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 74.50 Gb Total Space | 58.58 Gb Free Space | 78.63% Space Free | Partition Type: NTFS

    Computer Name: WS101 | User Name: ws1 | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/03/07 16:27:12 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\OTL.exe
    PRC - [2010/03/10 23:22:04 | 000,599,408 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\wfcrun32.exe
    PRC - [2010/03/10 23:21:16 | 000,300,400 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\concentr.exe
    PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2004/11/15 05:20:20 | 000,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE


    ========== Modules (No Company Name) ==========


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- -- (HidServ)
    SRV - File not found [On_Demand | Stopped] -- -- (B-Service)
    SRV - [2011/12/20 09:09:14 | 000,374,152 | ---- | M] (LogMeIn, Inc.) [Auto | Stopped] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
    SRV - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Disabled | Stopped] -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe -- (AVGIDSAgent)
    SRV - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Disabled | Stopped] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
    DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
    DRV - File not found [Kernel | On_Demand | Unknown] -- -- (mbr)
    DRV - File not found [Kernel | Auto | Stopped] -- -- (LMIInfo)
    DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
    DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
    DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
    DRV - File not found [Kernel | Auto | Stopped] -- -- (ASInsHelp)
    DRV - [2011/12/20 09:09:15 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
    DRV - [2011/10/07 06:23:48 | 000,230,608 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
    DRV - [2011/10/04 06:21:42 | 000,016,720 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
    DRV - [2011/09/13 06:30:10 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
    DRV - [2011/08/08 06:08:58 | 000,040,016 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
    DRV - [2011/07/11 01:14:38 | 000,295,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
    DRV - [2011/07/11 01:14:28 | 000,024,272 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
    DRV - [2011/07/11 01:14:28 | 000,023,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
    DRV - [2011/07/11 01:14:26 | 000,134,608 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
    DRV - [2009/10/05 09:08:42 | 000,065,584 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ctxusbm.sys -- (ctxusbm)
    DRV - [2008/08/11 12:41:00 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
    DRV - [2005/03/04 02:40:58 | 000,243,200 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
    DRV - [2005/03/03 14:41:20 | 000,011,776 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
    DRV - [2004/11/17 06:05:38 | 002,297,664 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
    DRV - [2004/08/03 17:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
    DRV - [2003/07/17 20:58:20 | 000,036,992 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SISAGPX.sys -- (SISAGP)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    IE - HKLM\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
    IE - HKLM\..\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}: "URL" = http://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q={searchTerms}&crm=1


    IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://encrypted.google.com/
    IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
    IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={E8F0ED9D-DD26-4DFA-8F61-019A50FEA5DD}&mid=8c5f7c80478b47d69709d15cb406d42b-af1ffedc1e63af8a5e4c9b0cb243349fa28e2f3f&lang=en&ds=AVG&pr=fr&d=2011-10-10 10:42:59&v=8.0.0.34&sap=dsp&q={searchTerms}
    IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://search.avg.com/route/?d=4b3d2cf0&i=23&tp=chrome&q={searchTerms}&lng={language}&ychte=us&nt=1
    IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=F5FFAD6B-58F2-4BD3-864C-7D8CD81F49D3&apn_sauid=B4396621-ACB3-4BCD-B7DC-1E8460871B93
    IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/02/16 16:58:02 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2011/03/18 10:31:36 | 000,002,064 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: 192.168.1.200 server
    O1 - Hosts: 74.50.127.5 www.google.com
    O1 - Hosts: 74.50.127.5 google.com
    O1 - Hosts: 74.50.127.5 google.com.au
    O1 - Hosts: 74.50.127.5 www.google.com.au
    O1 - Hosts: 74.50.127.5 google.be
    O1 - Hosts: 74.50.127.5 www.google.be
    O1 - Hosts: 74.50.127.5 google.com.br
    O1 - Hosts: 74.50.127.5 www.google.com.br
    O1 - Hosts: 74.50.127.5 google.ca
    O1 - Hosts: 74.50.127.5 www.google.ca
    O1 - Hosts: 74.50.127.5 google.ch
    O1 - Hosts: 74.50.127.5 www.google.ch
    O1 - Hosts: 74.50.127.5 google.de
    O1 - Hosts: 74.50.127.5 www.google.de
    O1 - Hosts: 74.50.127.5 google.dk
    O1 - Hosts: 74.50.127.5 www.google.dk
    O1 - Hosts: 74.50.127.5 google.fr
    O1 - Hosts: 74.50.127.5 www.google.fr
    O1 - Hosts: 74.50.127.5 google.ie
    O1 - Hosts: 74.50.127.5 www.google.ie
    O1 - Hosts: 74.50.127.5 google.it
    O1 - Hosts: 74.50.127.5 www.google.it
    O1 - Hosts: 74.50.127.5 google.co.jp
    O1 - Hosts: 24 more lines...
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
    O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
    O4 - HKLM..\Run: [SiSPower] C:\WINDOWS\System32\SiSPower.dll (Silicon Integrated Systems Corporation)
    O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe (Silicon Integrated Systems Corp.)
    O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O15 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..Trusted Domains: bethesdahealthcare.com ([]https in Trusted sites)
    O15 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..Trusted Domains: bethesdahealthcare.com ([bcsg2] https in Trusted sites)
    O16 - DPF: {36F4234C-854C-48DD-90F1-708FA0F19562} http://pyramisweb.bethesdahealthcare.com/PyramisUI/downloads/PyramHelp.CAB (PyramHelp.cHelp)
    O16 - DPF: {4912ED81-BD9F-485E-86CA-BD62EC957435} https://ecospda.bethesdahealthcare.com/SOARIANWEBPROD2_020551029_M0K0_p_htm_28//sframe/IETools.cab (Soarian Frame Tools for Internet Explorer)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1318263123862 (MUWebControl Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {A7B17C34-D894-11D3-AE37-0050DA39FE5C} https://magicweb.bethesdahealthcare.com/magicweb/cabs/WebClientInstall.cab (WebClientInstall Class)
    O16 - DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} https://techinline.net/Client/TIClient.cab (TIClientControl Object)
    O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} https://pacs.floridaopenimaging.com/plugins/jre/1_4/amicasjreinstaller_1_4_silent.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab (Java Plug-in 1.5.0_08)
    O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {FFA315A3-20D3-11CF-8FDD-943611C10000} https://netaccess.bethesdahealthcare.com/NTAPSMS-NTAP-HTM/webPrint.cab (Ter Control)
    O16 - DPF: MIW Deployment https://64.135.121.50/downloads/MIWDeploy.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PSBOYNTON.local
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D33FCFC5-C20A-4187-9630-34890668D0D4}: DhcpNameServer = 192.168.1.254
    O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
    O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2007/04/11 14:06:13 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: HidServ - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax ()
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll ()

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/03/07 16:26:33 | 000,584,704 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\OTL.exe
    [2012/03/07 09:42:33 | 004,428,654 | R--- | C] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\your_name.exe
    [2012/03/07 09:22:02 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2012/03/07 08:58:18 | 000,000,000 | ---D | C] -- C:\found.000
    [2012/03/07 04:03:43 | 000,000,000 | ---D | C] -- C:\caa6c23f234c07a82a4f7e
    [2012/03/06 16:46:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
    [2012/03/06 16:31:53 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2012/03/06 16:26:46 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2012/03/06 16:26:46 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2012/03/06 16:26:46 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2012/03/06 16:26:46 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2012/03/06 16:26:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2012/03/06 16:26:31 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/03/06 16:24:02 | 004,428,059 | R--- | C] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\ComboFix.exe
    [2012/03/02 16:19:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\RK_Quarantine
    [2012/03/02 16:05:15 | 004,730,880 | ---- | C] (AVAST Software) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\aswMBR.exe
    [2012/02/29 08:50:05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\ws1.PSBOYNTON\My Documents\My Videos
    [2012/02/29 08:50:05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\ws1.PSBOYNTON\Start Menu\Programs\Administrative Tools
    [2012/02/29 08:22:28 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\dds.scr
    [2012/02/27 09:01:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\AVG
    [2012/02/27 08:59:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG PC Tuneup 2011
    [8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/03/07 16:27:12 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\OTL.exe
    [2012/03/07 12:15:40 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_PSBOYNTON_ws1.job
    [2012/03/07 09:43:08 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\rkill.com
    [2012/03/07 09:42:46 | 004,428,654 | R--- | M] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\your_name.exe
    [2012/03/07 09:36:21 | 000,000,364 | ---- | M] () -- C:\WINDOWS\tasks\AVG PC Tuneup Integrator Start On ws1 Logon.job
    [2012/03/07 09:35:32 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/03/07 09:32:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/03/07 09:09:22 | 000,441,544 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2012/03/07 09:09:22 | 000,071,480 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2012/03/07 09:00:01 | 000,245,512 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2012/03/07 04:02:11 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2012/03/07 03:08:09 | 002,004,257 | ---- | M] () -- C:\WINDOWS\iis6.BAK
    [2012/03/06 16:31:58 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2012/03/06 16:26:16 | 004,428,059 | R--- | M] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\ComboFix.exe
    [2012/03/05 09:40:04 | 000,000,257 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\Iron Mountain Connect Login.url
    [2012/03/02 16:19:14 | 001,339,904 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\RogueKiller.exe
    [2012/03/02 16:05:20 | 004,730,880 | ---- | M] (AVAST Software) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\aswMBR.exe
    [2012/02/29 08:22:54 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/02/29 08:22:31 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\dds.scr
    [2012/02/29 08:22:12 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\feym0l94.exe
    [2012/02/27 08:59:56 | 000,000,813 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\Microsoft\Internet Explorer\Quick Launch\AVG PC Tuneup 2011.lnk
    [2012/02/27 08:59:56 | 000,000,795 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\AVG PC Tuneup 2011.lnk
    [2012/02/24 08:45:02 | 089,952,282 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
    [2012/02/23 15:04:06 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2012/02/22 18:14:27 | 000,252,226 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
    [2012/02/16 16:58:02 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 2012.lnk
    [2012/02/16 16:31:42 | 000,620,460 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavifw.avm
    [8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/03/07 09:43:01 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\rkill.com
    [2012/03/06 16:53:25 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
    [2012/03/06 16:53:25 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
    [2012/03/06 16:31:57 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2012/03/06 16:31:55 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2012/03/06 16:26:46 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2012/03/06 16:26:46 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2012/03/06 16:26:46 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2012/03/06 16:26:46 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2012/03/06 16:26:46 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2012/03/02 16:18:41 | 001,339,904 | ---- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\RogueKiller.exe
    [2012/02/29 08:22:54 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/02/29 08:22:09 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\feym0l94.exe
    [2012/02/27 09:00:20 | 000,000,364 | ---- | C] () -- C:\WINDOWS\tasks\AVG PC Tuneup Integrator Start On ws1 Logon.job
    [2012/02/27 08:59:56 | 000,000,813 | ---- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\Microsoft\Internet Explorer\Quick Launch\AVG PC Tuneup 2011.lnk
    [2012/02/27 08:59:56 | 000,000,795 | ---- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\AVG PC Tuneup 2011.lnk
    [2012/02/16 16:52:54 | 000,000,392 | -H-- | C] () -- C:\WINDOWS\tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_PSBOYNTON_ws1.job
    [2011/07/29 08:00:54 | 000,001,348 | -HS- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Local Settings\Application Data\4jt08j3453lv6eerv3ryh58wlpwkbx274umkyc5s2batk27
    [2011/07/29 08:00:54 | 000,001,348 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4jt08j3453lv6eerv3ryh58wlpwkbx274umkyc5s2batk27
    [2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\yroi.exe
    [2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ymbp.exe
    [2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\fjpr.exe
    [2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\edod.exe
    [2010/05/20 09:26:49 | 000,081,920 | ---- | C] () -- C:\WINDOWS\OEMQuery.exe

    ========== LOP Check ==========

    [2011/05/02 10:50:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ICAClient
    [2011/10/10 11:10:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.PSBOYNTON\Application Data\AVG Secure Search
    [2011/10/10 11:07:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.PSBOYNTON\Application Data\ICAClient
    [2011/10/10 12:04:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ask
    [2011/12/06 15:12:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
    [2010/02/23 14:55:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
    [2011/03/17 13:51:22 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\BMLOHDMPAP
    [2010/09/10 12:22:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
    [2011/03/18 10:56:53 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
    [2012/02/16 16:29:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
    [2011/11/21 13:03:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lytec
    [2011/12/06 14:44:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McKesson
    [2012/02/24 08:45:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
    [2011/11/21 16:38:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\TightVNC
    [2010/07/08 11:06:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1\Application Data\AMICAS
    [2010/09/10 12:47:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1\Application Data\ICAClient
    [2012/02/27 09:03:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\AVG
    [2011/12/06 15:02:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\AVG2012
    [2011/05/02 14:08:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\ICAClient
    [2011/12/07 15:58:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\ntr
    [2012/03/07 09:36:21 | 000,000,364 | ---- | M] () -- C:\WINDOWS\Tasks\AVG PC Tuneup Integrator Start On ws1 Logon.job
    [2012/03/07 12:15:40 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\Tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_PSBOYNTON_ws1.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2010/02/15 10:09:50 | 000,001,024 | ---- | M] () -- C:\.rnd
    [2007/04/11 14:06:13 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2012/02/23 15:04:06 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2012/03/06 16:31:58 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2012/03/07 10:02:29 | 000,011,888 | ---- | M] () -- C:\ComboFix.txt
    [2007/04/11 14:06:13 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2007/04/11 14:06:13 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2011/03/17 14:44:13 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
    [2007/04/11 14:06:13 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2006/02/28 07:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2011/11/17 07:43:37 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2012/03/07 09:32:31 | 1560,281,088 | -HS- | M] () -- C:\pagefile.sys
    [2009/03/19 13:09:59 | 000,019,538 | ---- | M] () -- C:\setup.log

    < %systemroot%\Fonts\*.com >
    [2006/04/18 14:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 13:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 14:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 13:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2007/04/11 14:05:50 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2006/01/30 09:00:00 | 000,049,152 | ---- | M] (Zenographics, Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\IMFPRINT.DLL
    [2011/12/20 09:09:15 | 000,052,096 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\LMIproc.dll
    [2003/06/18 16:31:48 | 000,018,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
    [2008/07/06 05:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2007/04/11 21:39:15 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
    [2007/04/11 21:39:14 | 000,659,456 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
    [2007/04/11 21:39:14 | 000,884,736 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2011/11/17 08:04:03 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2011/05/02 10:54:32 | 000,000,060 | -HS- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2011/05/02 10:54:32 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2012/03/02 16:05:20 | 004,730,880 | ---- | M] (AVAST Software) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\aswMBR.exe
    [2012/03/06 16:26:16 | 004,428,059 | R--- | M] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\ComboFix.exe
    [2012/02/29 08:22:12 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\feym0l94.exe
    [2012/03/07 16:27:12 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\OTL.exe
    [2012/03/02 16:19:14 | 001,339,904 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\RogueKiller.exe
    [2012/03/07 09:42:46 | 004,428,654 | R--- | M] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\your_name.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\tasks\*.* >
    [2012/03/07 09:36:21 | 000,000,364 | ---- | M] () -- C:\WINDOWS\tasks\AVG PC Tuneup Integrator Start On ws1 Logon.job
    [2006/02/28 07:00:00 | 000,000,065 | RH-- | M] () -- C:\WINDOWS\tasks\desktop.ini
    [2012/03/07 10:02:29 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2012/03/07 12:15:40 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_PSBOYNTON_ws1.job

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2011/05/02 10:54:32 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2011/05/02 10:52:59 | 000,009,338 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol

    < %systemroot%\system32\drivers\*.rmv >
  10. severedgein

    severedgein Newcomer, in training Topic Starter Posts: 62

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2011/11/17 06:10:26 | 000,000,067 | -HS- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Cookies\desktop.ini
    [2012/03/07 16:25:44 | 000,212,992 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2007/06/26 21:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/04/14 05:41:52 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2004/08/04 00:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2004/08/04 00:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2008/05/02 09:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008/04/13 23:00:30 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/14 05:42:30 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2007/04/02 23:37:24 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2007/04/02 23:37:24 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2007/04/02 23:37:26 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2004/08/04 00:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2004/08/04 00:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < >

    < End of report >
    -----------------------------------------------

    OTL Extras logfile created on: 3/7/2012 4:27:38 PM - Run 1
    OTL by OldTimer - Version 3.2.35.1 Folder = C:\Documents and Settings\ws1.PSBOYNTON\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    991.23 Mb Total Physical Memory | 508.86 Mb Available Physical Memory | 51.34% Memory free
    2.33 Gb Paging File | 1.94 Gb Available in Paging File | 83.09% Paging File free
    Paging file location(s): C:\pagefile.sys 1488 2976 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 74.50 Gb Total Space | 58.58 Gb Free Space | 78.63% Space Free | Partition Type: NTFS

    Computer Name: WS101 | User Name: ws1 | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications]
    "Enabled" = 1
    "AllowUserPrefMerge" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts]
    "Enabled" = 1
    "AllowUserPrefMerge" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List]
    "135:TCP:*:Enabled:Offer Remote Assistance - Port" = 135:TCP:*:Enabled:Offer Remote Assistance - Port

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint]
    "Enabled" = 1
    "RemoteAddresses" = LocalSubnet

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop]
    "Enabled" = 1
    "RemoteAddresses" = *

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications]
    "AllowUserPrefMerge" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts]
    "AllowUserPrefMerge" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002
    "3389:TCP" = 3389:TCP:*:Enabled:mad:xpsp2res.dll,-22009
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\Lytec 2011\Lytec.exe" = C:\Program Files\Lytec 2011\Lytec.exe:*:Enabled:Lytec -- (McKesson)
    "C:\Program Files\Simego\SQL Admin Studio\Simego.SQLTools.Explorer.exe" = C:\Program Files\Simego\SQL Admin Studio\Simego.SQLTools.Explorer.exe:*:Enabled:SQL Admin Studio -- (Simego)
    "C:\Program Files\AVG\AVG2012\avgmfapx.exe" = C:\Program Files\AVG\AVG2012\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
    "C:\Program Files\AVG\AVG2012\avgnsx.exe" = C:\Program Files\AVG\AVG2012\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)
    "C:\Program Files\AVG\AVG2012\avgdiagex.exe" = C:\Program Files\AVG\AVG2012\avgdiagex.exe:*:Enabled:AVG Diagnostics 2012 -- (AVG Technologies CZ, s.r.o.)
    "C:\Program Files\AVG\AVG2012\avgemcx.exe" = C:\Program Files\AVG\AVG2012\avgemcx.exe:*:Enabled:personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{023D64D7-E7B4-47C7-BE6E-B7C2E8960D08}" = Citrix online plug-in (Web)
    "{0360D8F0-626A-4E87-8A16-938BD0BEBCC5}" = 32 Bit HP CIO Components Installer
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{23E5032B-56CA-4C19-A72E-B50161DB82CA}" = Shadow Copy Client
    "{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
    "{299120B9-CD21-43F6-87A5-95BD0673EE45}" = SQL Admin Studio
    "{3248F0A8-6813-11D6-A77B-00B0D0150080}" = J2SE Runtime Environment 5.0 Update 8
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4EFC72DA-2314-4E5D-AC8E-1C954CDB8BBF}" = AVG 2012
    "{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1" = AVG PC Tuneup
    "{6F8EAC65-314D-4D86-9557-BC9312AACCB0}" = Citrix online plug-in (USB)
    "{7148F0A8-6813-11D6-A77B-00B0D0142060}" = Java 2 Runtime Environment, SE v1.4.2_06
    "{8144262B-25B4-44F6-8204-FCC8EF50179F}" = Citrix online plug-in (DV)
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A3AE0EFB-C8C2-4AF5-9841-459DB1C138CF}" = Crystal Reports 10 Support Files
    "{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.5
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{ca5da644-8de3-4323-b659-843b63272ba9}" = Revenue Management
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{DC226AC9-0314-496C-BE6A-B6A132628466}" = SiSAGP driver
    "{E7E84E23-C5C0-4B15-B13A-C63149E59C98}" = AVG 2012
    "{EA74A293-3FAC-4D1B-AE3A-3BD47FADDC20}" = Citrix online plug-in (HDX)
    "{ED01C034-09A6-4C4F-A7B5-A1B5ADBA4542}" = Lytec 2011 Professional
    "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    "{F7B0E599-C114-4493-BC4D-D8FC7CBBABBB}" = 32 Bit HP CIO Components Installer
    "{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "AsusUpdate" = AsusUpdate
    "AVG" = AVG 2012
    "CitrixOnlinePluginPackWeb" = Citrix online plug-in - web
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "SiS VGA Driver" = SiS VGA Utilities
    "WIC" = Windows Imaging Component
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WinRAR archiver" = WinRAR archiver
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 11/21/2011 2:35:47 PM | Computer Name = WS101 | Source = Userenv | ID = 1054
    Description = Windows cannot obtain the domain controller name for your computer
    network. (The specified domain either does not exist or could not be contacted.
    ). Group Policy processing aborted.

    Error - 11/21/2011 2:36:02 PM | Computer Name = WS101 | Source = AutoEnrollment | ID = 15
    Description = Automatic certificate enrollment for local system failed to contact
    the active directory (0x8007054b). The specified domain either does not exist
    or could not be contacted. Enrollment will not be performed.

    Error - 11/21/2011 2:38:41 PM | Computer Name = WS101 | Source = Userenv | ID = 1053
    Description = Windows cannot determine the user or computer name. (The specified
    domain either does not exist or could not be contacted. ). Group Policy processing
    aborted.

    Error - 11/21/2011 2:49:40 PM | Computer Name = WS101 | Source = Userenv | ID = 1054
    Description = Windows cannot obtain the domain controller name for your computer
    network. (The specified domain either does not exist or could not be contacted.
    ). Group Policy processing aborted.

    Error - 11/21/2011 2:49:55 PM | Computer Name = WS101 | Source = AutoEnrollment | ID = 15
    Description = Automatic certificate enrollment for local system failed to contact
    the active directory (0x8007054b). The specified domain either does not exist
    or could not be contacted. Enrollment will not be performed.

    Error - 11/21/2011 2:54:45 PM | Computer Name = WS101 | Source = Userenv | ID = 1053
    Description = Windows cannot determine the user or computer name. (The specified
    domain either does not exist or could not be contacted. ). Group Policy processing
    aborted.

    Error - 11/21/2011 2:59:48 PM | Computer Name = WS101 | Source = Userenv | ID = 1053
    Description = Windows cannot determine the user or computer name. (The specified
    domain either does not exist or could not be contacted. ). Group Policy processing
    aborted.

    Error - 11/21/2011 3:03:30 PM | Computer Name = WS101 | Source = Userenv | ID = 1054
    Description = Windows cannot obtain the domain controller name for your computer
    network. (The specified domain either does not exist or could not be contacted.
    ). Group Policy processing aborted.

    Error - 11/21/2011 3:03:46 PM | Computer Name = WS101 | Source = AutoEnrollment | ID = 15
    Description = Automatic certificate enrollment for local system failed to contact
    the active directory (0x8007054b). The specified domain either does not exist
    or could not be contacted. Enrollment will not be performed.

    Error - 11/21/2011 3:03:51 PM | Computer Name = WS101 | Source = Userenv | ID = 1054
    Description = Windows cannot obtain the domain controller name for your computer
    network. (The specified domain either does not exist or could not be contacted.
    ). Group Policy processing aborted.

    [ System Events ]
    Error - 3/7/2012 10:19:23 AM | Computer Name = WS101 | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 14 minutes. NtpClient has no source of accurate
    time.

    Error - 3/7/2012 10:32:51 AM | Computer Name = WS101 | Source = Ntfs | ID = 262199
    Description = The file system structure on the disk is corrupt and unusable. Please
    run the chkdsk utility on the volume C:.

    Error - 3/7/2012 10:33:09 AM | Computer Name = WS101 | Source = NETLOGON | ID = 5719
    Description = No Domain Controller is available for domain PSBOYNTON due to the
    following: %%1311. Make sure that the computer is connected to the network and try
    again.
    If the problem persists, please contact your domain administrator.

    Error - 3/7/2012 10:33:21 AM | Computer Name = WS101 | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 14 minutes. NtpClient has no source of accurate
    time.

    Error - 3/7/2012 10:33:23 AM | Computer Name = WS101 | Source = Service Control Manager | ID = 7000
    Description = The ASInsHelp service failed to start due to the following error:
    %%2

    Error - 3/7/2012 10:33:23 AM | Computer Name = WS101 | Source = Service Control Manager | ID = 7009
    Description = Timeout (30000 milliseconds) waiting for the LMIGuardianSvc service
    to connect.

    Error - 3/7/2012 10:33:23 AM | Computer Name = WS101 | Source = Service Control Manager | ID = 7000
    Description = The LMIGuardianSvc service failed to start due to the following error:
    %%1053

    Error - 3/7/2012 10:33:23 AM | Computer Name = WS101 | Source = Service Control Manager | ID = 7000
    Description = The LogMeIn Kernel Information Provider service failed to start due
    to the following error: %%2

    Error - 3/7/2012 10:33:36 AM | Computer Name = WS101 | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 14 minutes. NtpClient has no source of accurate
    time.

    Error - 3/7/2012 10:48:52 AM | Computer Name = WS101 | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 29 minutes. NtpClient has no source of accurate
    time.


    < End of report >


    ------------------------------------------
    Thank you very much for your time and patience Broni!
  11. Broni

    Broni Malware Annihilator Posts: 46,132   +251

     
  12. severedgein

    severedgein Newcomer, in training Topic Starter Posts: 62

    Broni, OTL did not create the Extras.txt log file this time.

    OTL logfile created on: 3/9/2012 4:58:29 PM - Run 2
    OTL by OldTimer - Version 3.2.35.1 Folder = C:\Documents and Settings\ws1.PSBOYNTON\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    991.23 Mb Total Physical Memory | 642.23 Mb Available Physical Memory | 64.79% Memory free
    2.33 Gb Paging File | 2.11 Gb Available in Paging File | 90.42% Paging File free
    Paging file location(s): C:\pagefile.sys 1488 2976 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 74.50 Gb Total Space | 58.77 Gb Free Space | 78.89% Space Free | Partition Type: NTFS

    Computer Name: WS101 | User Name: ws1 | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/03/07 16:27:12 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\OTL.exe
    PRC - [2012/01/24 17:24:26 | 005,781,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgmfapx.exe
    PRC - [2012/01/24 17:24:26 | 002,416,480 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
    PRC - [2011/11/28 01:19:04 | 001,229,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
    PRC - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    PRC - [2011/10/10 06:23:34 | 000,973,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgemcx.exe
    PRC - [2011/09/08 20:53:26 | 000,743,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
    PRC - [2011/08/15 06:21:40 | 000,337,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
    PRC - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    PRC - [2010/03/10 23:22:04 | 000,599,408 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\wfcrun32.exe
    PRC - [2010/03/10 23:21:16 | 000,300,400 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\concentr.exe
    PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2004/11/15 05:20:20 | 000,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE


    ========== Modules (No Company Name) ==========


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- -- (HidServ)
    SRV - File not found [On_Demand | Stopped] -- -- (B-Service)
    SRV - [2011/12/20 09:09:14 | 000,374,152 | ---- | M] (LogMeIn, Inc.) [Auto | Stopped] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
    SRV - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe -- (AVGIDSAgent)
    SRV - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
    DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
    DRV - File not found [Kernel | Auto | Stopped] -- -- (LMIInfo)
    DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
    DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (catchme)
    DRV - File not found [Kernel | Auto | Stopped] -- -- (ASInsHelp)
    DRV - [2011/12/20 09:09:15 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
    DRV - [2011/10/07 06:23:48 | 000,230,608 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
    DRV - [2011/10/04 06:21:42 | 000,016,720 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
    DRV - [2011/09/13 06:30:10 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
    DRV - [2011/08/08 06:08:58 | 000,040,016 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
    DRV - [2011/07/11 01:14:38 | 000,295,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
    DRV - [2011/07/11 01:14:28 | 000,024,272 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
    DRV - [2011/07/11 01:14:28 | 000,023,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
    DRV - [2011/07/11 01:14:26 | 000,134,608 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
    DRV - [2009/10/05 09:08:42 | 000,065,584 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ctxusbm.sys -- (ctxusbm)
    DRV - [2008/08/11 12:41:00 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
    DRV - [2005/03/04 02:40:58 | 000,243,200 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
    DRV - [2005/03/03 14:41:20 | 000,011,776 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
    DRV - [2004/11/17 06:05:38 | 002,297,664 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
    DRV - [2004/08/03 17:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
    DRV - [2003/07/17 20:58:20 | 000,036,992 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SISAGPX.sys -- (SISAGP)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    IE - HKLM\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
    IE - HKLM\..\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}: "URL" = http://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q={searchTerms}&crm=1


    IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233}
    IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
    IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={20A950D9-7605-4611-905F-7251B5DD4C4D}&mid=8c5f7c80478b47d69709d15cb406d42b-af1ffedc1e63af8a5e4c9b0cb243349fa28e2f3f&lang=en&ds=AVG&pr=fr&d=&v=&sap=dsp&q={searchTerms}
    IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://search.avg.com/route/?d=4b3d2cf0&i=23&tp=chrome&q={searchTerms}&lng={language}&ychte=us&nt=1
    IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=F5FFAD6B-58F2-4BD3-864C-7D8CD81F49D3&apn_sauid=B4396621-ACB3-4BCD-B7DC-1E8460871B93
    IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/03/09 16:54:12 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2011/12/22 16:11:00 | 000,000,732 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
    O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
    O4 - HKLM..\Run: [SiSPower] C:\WINDOWS\System32\SiSPower.dll (Silicon Integrated Systems Corporation)
    O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe (Silicon Integrated Systems Corp.)
    O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O15 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..Trusted Domains: bethesdahealthcare.com ([]https in Trusted sites)
    O15 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..Trusted Domains: bethesdahealthcare.com ([bcsg2] https in Trusted sites)
    O16 - DPF: {36F4234C-854C-48DD-90F1-708FA0F19562} http://pyramisweb.bethesdahealthcare.com/PyramisUI/downloads/PyramHelp.CAB (PyramHelp.cHelp)
    O16 - DPF: {4912ED81-BD9F-485E-86CA-BD62EC957435} https://ecospda.bethesdahealthcare.com/SOARIANWEBPROD2_020551029_M0K0_p_htm_28//sframe/IETools.cab (Soarian Frame Tools for Internet Explorer)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1318263123862 (MUWebControl Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {A7B17C34-D894-11D3-AE37-0050DA39FE5C} https://magicweb.bethesdahealthcare.com/magicweb/cabs/WebClientInstall.cab (WebClientInstall Class)
    O16 - DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} https://techinline.net/Client/TIClient.cab (TIClientControl Object)
    O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} https://pacs.floridaopenimaging.com/plugins/jre/1_4/amicasjreinstaller_1_4_silent.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab (Java Plug-in 1.5.0_08)
    O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {FFA315A3-20D3-11CF-8FDD-943611C10000} https://netaccess.bethesdahealthcare.com/NTAPSMS-NTAP-HTM/webPrint.cab (Ter Control)
    O16 - DPF: MIW Deployment https://64.135.121.50/downloads/MIWDeploy.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PSBOYNTON.local
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D33FCFC5-C20A-4187-9630-34890668D0D4}: DhcpNameServer = 192.168.1.254
    O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
    O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2007/04/11 14:06:13 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: HidServ - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/03/09 16:58:23 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2012/03/09 16:56:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\AVG2012
    [2012/03/09 16:54:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG 2012
    [2012/03/08 09:10:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2012/03/07 16:26:33 | 000,584,704 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\OTL.exe
    [2012/03/07 09:42:33 | 004,428,654 | R--- | C] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\your_name.exe
    [2012/03/07 09:22:02 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2012/03/07 08:58:18 | 000,000,000 | ---D | C] -- C:\found.000
    [2012/03/07 04:03:43 | 000,000,000 | ---D | C] -- C:\caa6c23f234c07a82a4f7e
    [2012/03/06 16:46:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
    [2012/03/06 16:31:53 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2012/03/06 16:26:46 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2012/03/06 16:26:46 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2012/03/06 16:26:46 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2012/03/06 16:26:46 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2012/03/06 16:26:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2012/03/06 16:26:31 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/03/06 16:24:02 | 004,428,059 | R--- | C] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\ComboFix.exe
    [2012/03/02 16:19:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\RK_Quarantine
    [2012/03/02 16:05:15 | 004,730,880 | ---- | C] (AVAST Software) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\aswMBR.exe
    [2012/02/29 08:50:05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\ws1.PSBOYNTON\My Documents\My Videos
    [2012/02/29 08:50:05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\ws1.PSBOYNTON\Start Menu\Programs\Administrative Tools
    [2012/02/29 08:22:28 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\dds.scr
    [2012/02/27 09:01:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\AVG
    [2012/02/27 08:59:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG PC Tuneup 2011
    [8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/03/09 17:00:46 | 058,794,243 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
    [2012/03/09 16:54:12 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 2012.lnk
    [2012/03/09 16:47:18 | 000,000,364 | ---- | M] () -- C:\WINDOWS\tasks\AVG PC Tuneup Integrator Start On ws1 Logon.job
    [2012/03/09 16:46:28 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/03/09 16:43:13 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/03/09 12:14:47 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_PSBOYNTON_ws1.job
    [2012/03/08 14:25:31 | 000,000,257 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\Iron Mountain Connect Login.url
    [2012/03/08 03:04:17 | 000,441,546 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2012/03/08 03:04:17 | 000,071,482 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2012/03/07 16:27:12 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\OTL.exe
    [2012/03/07 09:43:08 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\rkill.com
    [2012/03/07 09:42:46 | 004,428,654 | R--- | M] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\your_name.exe
    [2012/03/07 09:00:01 | 000,245,512 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2012/03/07 04:03:23 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2012/03/07 03:08:09 | 002,004,257 | ---- | M] () -- C:\WINDOWS\iis6.BAK
    [2012/03/06 16:31:58 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2012/03/06 16:26:16 | 004,428,059 | R--- | M] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\ComboFix.exe
    [2012/03/02 16:19:14 | 001,339,904 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\RogueKiller.exe
    [2012/03/02 16:05:20 | 004,730,880 | ---- | M] (AVAST Software) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\aswMBR.exe
    [2012/02/29 08:22:54 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/02/29 08:22:31 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\dds.scr
    [2012/02/29 08:22:12 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\feym0l94.exe
    [2012/02/27 08:59:56 | 000,000,813 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\Microsoft\Internet Explorer\Quick Launch\AVG PC Tuneup 2011.lnk
    [2012/02/27 08:59:56 | 000,000,795 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\AVG PC Tuneup 2011.lnk
    [2012/02/23 15:04:06 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2012/02/16 16:31:42 | 000,620,460 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavifw.avm
    [8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/03/09 16:54:12 | 000,000,702 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG 2012.lnk
    [2012/03/07 09:43:01 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\rkill.com
    [2012/03/06 16:53:25 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
    [2012/03/06 16:53:25 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
    [2012/03/06 16:31:57 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2012/03/06 16:31:55 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2012/03/06 16:26:46 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2012/03/06 16:26:46 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2012/03/06 16:26:46 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2012/03/06 16:26:46 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2012/03/06 16:26:46 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2012/03/02 16:18:41 | 001,339,904 | ---- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\RogueKiller.exe
    [2012/02/29 08:22:54 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/02/29 08:22:09 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\feym0l94.exe
    [2012/02/27 09:00:20 | 000,000,364 | ---- | C] () -- C:\WINDOWS\tasks\AVG PC Tuneup Integrator Start On ws1 Logon.job
    [2012/02/27 08:59:56 | 000,000,813 | ---- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\Microsoft\Internet Explorer\Quick Launch\AVG PC Tuneup 2011.lnk
    [2012/02/27 08:59:56 | 000,000,795 | ---- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\AVG PC Tuneup 2011.lnk
    [2012/02/16 16:52:54 | 000,000,392 | -H-- | C] () -- C:\WINDOWS\tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_PSBOYNTON_ws1.job
    [2011/07/29 08:00:54 | 000,001,348 | -HS- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Local Settings\Application Data\4jt08j3453lv6eerv3ryh58wlpwkbx274umkyc5s2batk27
    [2011/07/29 08:00:54 | 000,001,348 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4jt08j3453lv6eerv3ryh58wlpwkbx274umkyc5s2batk27
    [2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\yroi.exe
    [2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ymbp.exe
    [2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\fjpr.exe
    [2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\edod.exe
    [2010/05/20 09:26:49 | 000,081,920 | ---- | C] () -- C:\WINDOWS\OEMQuery.exe

    ========== LOP Check ==========

    [2011/05/02 10:50:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ICAClient
    [2011/10/10 11:10:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.PSBOYNTON\Application Data\AVG Secure Search
    [2011/10/10 11:07:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.PSBOYNTON\Application Data\ICAClient
    [2011/10/10 12:04:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ask
    [2012/03/09 17:07:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
    [2010/02/23 14:55:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
    [2011/03/17 13:51:22 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\BMLOHDMPAP
    [2010/09/10 12:22:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
    [2011/03/18 10:56:53 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
    [2012/02/16 16:29:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
    [2011/11/21 13:03:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lytec
    [2011/12/06 14:44:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McKesson
    [2012/03/09 17:01:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
    [2012/03/09 16:47:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2011/11/21 16:38:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\TightVNC
    [2010/07/08 11:06:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1\Application Data\AMICAS
    [2010/09/10 12:47:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1\Application Data\ICAClient
    [2012/02/27 09:03:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\AVG
    [2012/03/09 16:56:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\AVG2012
    [2011/05/02 14:08:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\ICAClient
    [2011/12/07 15:58:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\ntr
    [2012/03/09 16:47:18 | 000,000,364 | ---- | M] () -- C:\WINDOWS\Tasks\AVG PC Tuneup Integrator Start On ws1 Logon.job
    [2012/03/09 12:14:47 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\Tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_PSBOYNTON_ws1.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2010/02/15 10:09:50 | 000,001,024 | ---- | M] () -- C:\.rnd
    [2007/04/11 14:06:13 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2012/02/23 15:04:06 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2012/03/06 16:31:58 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2012/03/07 10:02:29 | 000,011,888 | ---- | M] () -- C:\ComboFix.txt
    [2007/04/11 14:06:13 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2007/04/11 14:06:13 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2011/03/17 14:44:13 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
    [2007/04/11 14:06:13 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2006/02/28 07:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2011/11/17 07:43:37 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2012/03/09 16:43:10 | 1560,281,088 | -HS- | M] () -- C:\pagefile.sys
    [2009/03/19 13:09:59 | 000,019,538 | ---- | M] () -- C:\setup.log

    < %systemroot%\Fonts\*.com >
    [2006/04/18 14:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 13:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 14:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 13:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2007/04/11 14:05:50 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2006/01/30 09:00:00 | 000,049,152 | ---- | M] (Zenographics, Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\IMFPRINT.DLL
    [2011/12/20 09:09:15 | 000,052,096 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\LMIproc.dll
    [2003/06/18 16:31:48 | 000,018,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
    [2008/07/06 05:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2007/04/11 21:39:15 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
    [2007/04/11 21:39:14 | 000,659,456 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
    [2007/04/11 21:39:14 | 000,884,736 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2011/11/17 08:04:03 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2011/05/02 10:54:32 | 000,000,060 | -HS- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2011/05/02 10:54:32 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2012/03/02 16:05:20 | 004,730,880 | ---- | M] (AVAST Software) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\aswMBR.exe
    [2012/03/06 16:26:16 | 004,428,059 | R--- | M] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\ComboFix.exe
    [2012/02/29 08:22:12 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\feym0l94.exe
    [2012/03/07 16:27:12 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\OTL.exe
    [2012/03/02 16:19:14 | 001,339,904 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\RogueKiller.exe
    [2012/03/07 09:42:46 | 004,428,654 | R--- | M] (Swearware) -- C:\Documents and Settings\ws1.PSBOYNTON\Desktop\your_name.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\tasks\*.* >
    [2012/03/09 16:47:18 | 000,000,364 | ---- | M] () -- C:\WINDOWS\tasks\AVG PC Tuneup Integrator Start On ws1 Logon.job
    [2006/02/28 07:00:00 | 000,000,065 | RH-- | M] () -- C:\WINDOWS\tasks\desktop.ini
    [2012/03/09 16:43:16 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2012/03/09 17:17:22 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_PSBOYNTON_ws1.job

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2011/05/02 10:54:32 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2011/05/02 10:52:59 | 000,009,338 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2011/11/17 06:10:26 | 000,000,067 | -HS- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Cookies\desktop.ini
    [2012/03/09 16:58:18 | 000,212,992 | ---- | M] () -- C:\Documents and Settings\ws1.PSBOYNTON\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2007/06/26 21:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/04/14 05:41:52 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2004/08/04 00:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2004/08/04 00:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2008/05/02 09:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008/04/13 23:00:30 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/14 05:42:30 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2007/04/02 23:37:24 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2007/04/02 23:37:24 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2007/04/02 23:37:26 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2004/08/04 00:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2004/08/04 00:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < >

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4

    < End of report >
  13. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Still redirected?

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      SRV - File not found [On_Demand | Stopped] -- -- (B-Service)
      IE - HKLM\..\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}: "URL" = http://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q={searchTerms}&crm=1
      IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
      IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
      IE - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=crm&q={searchTerms}&locale=en_US& apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=F5FFAD6B-58F2-4BD3-864C-7D8CD81F49D3&apn_sauid=B4396621-ACB3-4BCD-B7DC-1E8460871B93
      O15 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..Trusted Domains: bethesdahealthcare.com ([]https in Trusted sites)
      O15 - HKU\S-1-5-21-3566315747-1333721964-492098383-1140\..Trusted Domains: bethesdahealthcare.com ([bcsg2] https in Trusted sites)
      O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} https://pacs.floridaopenimaging.com/...1_4_silent.cab (Reg Error: Key error.)
      O16 - DPF: MIW Deployment https://64.135.121.50/downloads/MIWDeploy.cab (Reg Error: Key error.)
      [2011/07/29 08:00:54 | 000,001,348 | -HS- | C] () -- C:\Documents and Settings\ws1.PSBOYNTON\Local Settings\Application Data\4jt08j3453lv6eerv3ryh58wlpwkbx274umkyc5s2batk27
      [2011/07/29 08:00:54 | 000,001,348 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4jt08j3453lv6eerv3ryh58wlpwkbx274umkyc5s2batk27
      [2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\yroi.exe
      [2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ymbp.exe
      [2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\fjpr.exe
      [2011/07/29 08:00:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\edod.exe
      [2011/10/10 12:04:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ask
      @Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
      
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
  14. severedgein

    severedgein Newcomer, in training Topic Starter Posts: 62

    The redirect seems to be gone. Internet options are accessible again, and the windows security alert doesn't show the "best malware protection" as the antivirus program, also windows updates have been installing and I have been able to adjust the updates settings.

    LOG:

    All processes killed
    ========== OTL ==========
    Service B-Service stopped successfully!
    Service B-Service deleted successfully!
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF739809-1C6C-47C0-85B9-569DBB141420}\ not found.
    Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
    Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
    Registry key HKEY_USERS\S-1-5-21-3566315747-1333721964-492098383-1140\Software\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF739809-1C6C-47C0-85B9-569DBB141420}\ not found.
    Registry key HKEY_USERS\S-1-5-21-3566315747-1333721964-492098383-1140\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bethesdahealthcare.com\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-21-3566315747-1333721964-492098383-1140\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bethesdahealthcare.com\bcsg2\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}
    C:\WINDOWS\Downloaded Program Files\amicasjreinstaller_1_4_silent.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control MIW Deployment
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\MIW Deployment\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\MIW Deployment\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\MIW Deployment\ not found.
    C:\Documents and Settings\ws1.PSBOYNTON\Local Settings\Application Data\4jt08j3453lv6eerv3ryh58wlpwkbx274umkyc5s2batk27 moved successfully.
    C:\Documents and Settings\All Users\Application Data\4jt08j3453lv6eerv3ryh58wlpwkbx274umkyc5s2batk27 moved successfully.
    C:\Documents and Settings\All Users\Application Data\yroi.exe moved successfully.
    C:\Documents and Settings\All Users\Application Data\ymbp.exe moved successfully.
    C:\Documents and Settings\All Users\Application Data\fjpr.exe moved successfully.
    C:\Documents and Settings\All Users\Application Data\edod.exe moved successfully.
    C:\Documents and Settings\All Users\Application Data\Ask\APN-Stub folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Ask folder moved successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4 deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 78991 bytes
    ->Flash cache emptied: 348 bytes

    User: Administrator.PSBOYNTON
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 706575 bytes
    ->Java cache emptied: 488 bytes
    ->Flash cache emptied: 456 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: newpc02
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 78991 bytes
    ->Flash cache emptied: 524 bytes

    User: ws1
    ->Temp folder emptied: 87437786 bytes
    ->Temporary Internet Files folder emptied: 52592010 bytes
    ->Java cache emptied: 62263080 bytes
    ->Flash cache emptied: 3155421 bytes

    User: ws1.PSBOYNTON
    ->Temp folder emptied: 1713502 bytes
    ->Temporary Internet Files folder emptied: 44860925 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 2355 bytes

    User: __sbs_netsetup__
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 4234508 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 25494 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 493706 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 4051254 bytes

    Total Files Cleaned = 250.00 mb


    [EMPTYJAVA]

    User: Administrator

    User: Administrator.PSBOYNTON
    ->Java cache emptied: 0 bytes

    User: All Users

    User: Default User

    User: LocalService

    User: NetworkService

    User: newpc02

    User: ws1
    ->Java cache emptied: 0 bytes

    User: ws1.PSBOYNTON
    ->Java cache emptied: 0 bytes

    User: __sbs_netsetup__

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: Administrator
    ->Flash cache emptied: 0 bytes

    User: Administrator.PSBOYNTON
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User

    User: LocalService

    User: NetworkService

    User: newpc02
    ->Flash cache emptied: 0 bytes

    User: ws1
    ->Flash cache emptied: 0 bytes

    User: ws1.PSBOYNTON
    ->Flash cache emptied: 0 bytes

    User: __sbs_netsetup__

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.35.1 log created on 03142012_082920

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
  15. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Good news :)

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  16. severedgein

    severedgein Newcomer, in training Topic Starter Posts: 62

    Logs:

    Security Check:
    Results of screen317's Security Check version 0.99.24
    Windows XP Service Pack 3 x86
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    AVG 2012
    AVG PC Tuneup
    AVG 2012
    Antivirus up to date!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    AVG PC Tuneup
    Java(TM) 6 Update 31
    Java 2 Runtime Environment, SE v1.4.2_06
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    AVG avgwdsvc.exe
    AVG avgtray.exe
    AVG avgrsx.exe
    AVG avgnsx.exe
    AVG avgemc.exe
    ``````````End of Log````````````

    -------------------------------------------------------------
    FSS:
    Farbar Service Scanner Version: 01-03-2012
    Ran by ws1 (administrator) on 18-03-2012 at 09:11:49
    Running from "C:\Documents and Settings\ws1.PSBOYNTON\Desktop"
    Microsoft Windows XP Professional Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ============

    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    Avgtdix(15) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
    0x100000000500000001000000020000000300000004000000560000000A0000000B0000000C0000000D0000000E0000000F00000006000000070000000800000009000000
    IpSec Tag value is correct.

    **** End of log ****

    -----------------------------------------------------------

    ESET:
    C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\d9b4a3\276.mof.vir Win32/RogueAV.A trojan cleaned by deleting - quarantined
  17. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Uninstall Java 2 Runtime Environment, SE v1.4.2_06

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
  18. severedgein

    severedgein Newcomer, in training Topic Starter Posts: 62

    Here's the OTL log, I'm running the rest of the clean-up as instructed and will report back tomorrow about any issues. Thanks Broni!

    OTL Log:

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Administrator.PSBOYNTON
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: newpc02
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: ws1
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: ws1.PSBOYNTON
    ->Temp folder emptied: 44172 bytes
    ->Temporary Internet Files folder emptied: 11990360 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 456 bytes

    User: __sbs_netsetup__
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 893 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 12.00 mb


    [EMPTYFLASH]

    User: Administrator
    ->Flash cache emptied: 0 bytes

    User: Administrator.PSBOYNTON
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User

    User: LocalService

    User: NetworkService

    User: newpc02
    ->Flash cache emptied: 0 bytes

    User: ws1
    ->Flash cache emptied: 0 bytes

    User: ws1.PSBOYNTON
    ->Flash cache emptied: 0 bytes

    User: __sbs_netsetup__

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: Administrator

    User: Administrator.PSBOYNTON
    ->Java cache emptied: 0 bytes

    User: All Users

    User: Default User

    User: LocalService

    User: NetworkService

    User: newpc02

    User: ws1
    ->Java cache emptied: 0 bytes

    User: ws1.PSBOYNTON
    ->Java cache emptied: 0 bytes

    User: __sbs_netsetup__

    Total Java Files Cleaned = 0.00 mb

    Restore points cleared and new OTL Restore Point set!

    OTL by OldTimer - Version 3.2.35.1 log created on 03182012_191019

    Files\Folders moved on Reboot...
    C:\Documents and Settings\ws1.PSBOYNTON\Local Settings\Temporary Internet Files\Content.IE5\F3VSL3PW\partner[1].htm moved successfully.
    C:\Documents and Settings\ws1.PSBOYNTON\Local Settings\Temporary Internet Files\Content.IE5\F3VSL3PW\showthread[1].htm moved successfully.
    C:\Documents and Settings\ws1.PSBOYNTON\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

    Registry entries deleted on Reboot...
     
  19. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Very well :)
  20. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    The issue seems to be resolved.
  21. severedgein

    severedgein Newcomer, in training Topic Starter Posts: 62

    Thank you for the help Broni. The issue did seem resolved. However, not long after clean-up (1-2 days after, only other things done were defragging/CCleaner and uninstalled a couple other old programs), the computer started throwing C:\$mft errors and eventually stopped booting. Not sure what happened if it was related to the original post or not. Either way the computer is scrap. Wish if it'd planned on dying all along it'd have done it before we both spent all that time on it. :(
  22. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Sorry to hear bad news :(


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.